Am 08.11.2005 um 13:37 schrieb Cees De Groot:

> Martin Kobetic pointed out that my usage of RC4 wasn't safe. I quote:
>
> "It's nice and simple, but it violates one important rule. Never ever
> reuse a key with a stream cipher. Otherwise xoring two ciphertexts  
> will
> eliminate the keystream and yield a simple xor of two plaintexts,  
> which,
> depending on how unlucky you are, is anywere from trivial to  
> reasonably
> simple to break. Either way nowhere near the difficulty of breaking  
> SHA1
>  or RC4."
>
> The current version, now also on SqueakMap, should fix this by adding
> a random seed to the password before its use. A tests shows that
> encrypting the same data with the same password multiple times results
> in different cyphertext.
>
> The API is the same so my Seaside and MC patches are still valid. Old
> keyrings are upgraded when rewritten.
>
> The only todo I can think off at this point is to make the location of
> the external file configurable, so you can stuff it on a USB key (an
> excellent suggestion, Chris!).

Well, given that I doubt this is in widespread use already - how  
sensible is it to support two versions of the keything file? I'd  
rather keep it as simple as possible, which is a good thumb rule for  
security analysis anyway.

Also, it's not really extensible - suppose I wanted to store the  
passwords using my OS's password vault instead, how would I do that?  
Or do you think we need a separate password manager registry thing  
which would delegate the password request to Keything or something else?

Btw, what's the API on other OSes like for retrieving passwords? Mac  
OS X has special means for "Internet passwords" specified by  
(partial) URLs, or "generic passwords" using an opaque string for  
identification.

- Bert -