[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: David Huang <khym_at_azeotrope.org>
Date: Tue, 12 Apr 2011 18:54:28 -0500

On Apr 12, 2011, at 6:17 PM, Ron Wilson wrote:

> On Tue, Apr 12, 2011 at 4:29 PM, David Huang <khym_at_azeotrope.org> wrote:
>> Then you said that this meant that SVN's password saving wasn't implemented
>> correctly.
> It was implied that the only thing needed to decode the cache was to
> look at the source code. That implies that the key is fixed, easily
> regenerated or easy to find, or that the algorithm is extremely weak.

Well, then we're back to Stefan's question of how you think it could be improved. Earlier, you had suggested using a session key that perhaps could last through the work day, but I assume that means you'd need to reauthenticate when the session expired, so that's not going to work.

How are you going to encrypt a password so that SVN can decrypt it whenever it needs to, but another process can't do the same thing? SVN isn't any sort of privileged process; if it can get access to the decryption key, so can some other random process. Unless you go with some sort of executable-signing system where you *can* give SVN special privs to access its password store while keeping other processes out, but that's handled at the OS level, and is not something SVN needs to do.

As Stefan mentioned earlier, SVN uses the Windows CryptProtectData() function to encrypt passwords. The key is not fixed--it's apparently somehow based on the Windows login credentials. It is, however, easily regenerated--any process running under the same Windows login can call CryptUnprotectData(). The algorithm probably isn't extremely weak, although the algorithm used doesn't seem to be documented. So how do you propose to make the key something that's not easily regenerated?

This whole thing sounds like trying to find a problem where there is none. As others have mentioned, if an intruder can read your page file, or your hard disk, or has admin privileges, you have much bigger things to worry about already.


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-13 01:54:46 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.