Pwmd version 3.0.15 released

This version fixes a couple important security issues. Please change your passphrase for all non-gpg-agent data files. Note that after doing this the data file will not be compatible with previous versions of pwmd.

Download it here.

Pwmd and cipher iterations

I’m going to change how pwmd 3.0.x handles the “SAVE --cipher-iterations” command. Rather than make the parameter a count of the number of times to encrypt the XML data, it will be more like OpenPGP and to use it as the number of times to re-hash the passphrase that is used to encrypt the XML data.

Since the XML data is always encrypted using a 256-bit cipher key derived from the hash function, no matter the cipher, then it makes sense to spend time hashing the passphrase rather than encrypting the XML data.

The way it is now in pwmd 3.0.x is that an attacker could brute force the passphrase by taking the salt which is stored in the data file header and rehash a dictionary word the default number of times (1000 as it is) then test the hash against the generated hash at attack runtime. An attack like this is unlikely as far as I understand, but this attack may be much quicker than brute forcing the (hashed) 256-bit cipher key used to encrypt the XML even when there are no XML cipher iterations.

Advertisement

Pwmd OpenPGP status update

OpenPGP support in pwmd is working but there are a few things to do before making a release. For details please see this pwmd-devel post.

QPwmc version 0.3.2 released

This version requires Pwmd 3.0.14 do to ACL changes and LIST command updates. It also contains a couple DnD validation fixes.

Note that the git repository has changed to Gitlab.com.

Download it here.

Pwmd version 3.0.14 released

This version contains additional ACL features and fixes, requires GnuTLS >= 3.0.0 when –enable-gnutls is passed to configure, fixes a couple LIST command bugs and fixes bulding for Android. Read the NEWS for details.

Download it here.