[ANN] Keything

Andreas Raab andreas.raab at gmx.de
Sun Nov 6 02:28:14 UTC 2005


This looks very nice, thanks!

Cheers,
   - Andreas

Cees De Groot wrote:
> http://www.tric.nl/~cg/mc now has a package called 'Keything'. It
> reads and writes an encrypted keyring and nils out the in-memory
> version before a snapshot. It has two API methods and a test, so it
> should be easy enough to integrate into e.g. MC, but also Seaside,
> etcetera (oh, yes - remember that pesky Seaside admin password?).
> 
> Security analysis: the in-memory keyring is nil'ed before a snapshot,
> so it's never written out to disk. The on-disk version is encrypted
> (with RC4 - but, hey, if someone is willing to do a brute-force attack
> on your MC password.... You're in serious shit), the encryption key is
> a SHA-1 hash (see comment for RC4 - in fact, the concerns about
> collisions don't hold here anyway). The password is not kept around -
> I was thinking about doing a full GC just after the password was
> entered, but I'm not yet that paranoid.
> 
> All in all, should be a safe protocol around good enough algorithms,
> but I'm open to suggestions.
> 
> Happy hacking,
> 
> Cees
> 
> 




More information about the Squeak-dev mailing list