[ANN] Keything
Andreas Raab
andreas.raab at gmx.de
Sun Nov 6 02:28:14 UTC 2005
This looks very nice, thanks!
Cheers,
- Andreas
Cees De Groot wrote:
> http://www.tric.nl/~cg/mc now has a package called 'Keything'. It
> reads and writes an encrypted keyring and nils out the in-memory
> version before a snapshot. It has two API methods and a test, so it
> should be easy enough to integrate into e.g. MC, but also Seaside,
> etcetera (oh, yes - remember that pesky Seaside admin password?).
>
> Security analysis: the in-memory keyring is nil'ed before a snapshot,
> so it's never written out to disk. The on-disk version is encrypted
> (with RC4 - but, hey, if someone is willing to do a brute-force attack
> on your MC password.... You're in serious shit), the encryption key is
> a SHA-1 hash (see comment for RC4 - in fact, the concerns about
> collisions don't hold here anyway). The password is not kept around -
> I was thinking about doing a full GC just after the password was
> entered, but I'm not yet that paranoid.
>
> All in all, should be a safe protocol around good enough algorithms,
> but I'm open to suggestions.
>
> Happy hacking,
>
> Cees
>
>
More information about the Squeak-dev
mailing list
|