I really enjoyed this post.

Ron Teitelbaum

-----Original Message-----
From: squeak-dev-bounces at lists.squeakfoundation.org
[mailto:squeak-dev-bounces at lists.squeakfoundation.org] On Behalf Of Cees De
Groot
Sent: Saturday, November 05, 2005 2:51 PM
To: The general-purpose Squeak developers list
Subject: [ANN] Keything

http://www.tric.nl/~cg/mc now has a package called 'Keything'. It
reads and writes an encrypted keyring and nils out the in-memory
version before a snapshot. It has two API methods and a test, so it
should be easy enough to integrate into e.g. MC, but also Seaside,
etcetera (oh, yes - remember that pesky Seaside admin password?).

Security analysis: the in-memory keyring is nil'ed before a snapshot,
so it's never written out to disk. The on-disk version is encrypted
(with RC4 - but, hey, if someone is willing to do a brute-force attack
on your MC password.... You're in serious shit), the encryption key is
a SHA-1 hash (see comment for RC4 - in fact, the concerns about
collisions don't hold here anyway). The password is not kept around -
I was thinking about doing a full GC just after the password was
entered, but I'm not yet that paranoid.

All in all, should be a safe protocol around good enough algorithms,
but I'm open to suggestions.

Happy hacking,

Cees