[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Master passphrase approach, authn storage, cobwebs in C-Mike's head, ...

From: Greg Stein <gstein_at_gmail.com>
Date: Fri, 6 Apr 2012 10:55:17 -0400

On Apr 6, 2012 2:06 AM, "Branko Čibej" <brane_at_apache.org> wrote:
>
> On 06.04.2012 00:38, C. Michael Pilato wrote:
> > I've been also frustrated when considering the situation that occurs
when a
> > user changes his/her master password, forcing a re-encryption of all
cached
> > credentials using the new password.
>
> You could do what whole-disk encryption systems do: only the encyprtion
> key is encrypted by the master passphrase, actual data are encrypted by
> that key. This allows different users with different passphrases to
> decrypt the same data, since they only decrypt a wrapped copy of the
> same encryption key.
>
> In other words, changing the master passphrase only requires decrypting
> and re-encrypting one 256-bit encryption key, not the whole credentials
> store.

PKBDF2 is in the current design to make dict attacks computationally
"impossible". Assuming we keep that, then the above value would be fed in
as the secret to PKBDF2, rather than MP or sha1(MP) ?

Cheers,
-g
Received on 2012-04-06 16:55:51 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.