Bug 120843
Summary: | Clear key storage is security problem | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sepehr <skiani> |
Component: | kernel | Assignee: | Arjan van de Ven <arjanv> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 1 | CC: | alan, redhat-bugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-05-03 00:56:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sepehr
2004-04-14 14:10:46 UTC
If you're root, you'll always be able to get it. Not true!! If you do one way encription like the /etc/passwd file it is very secure. Look at: http://www.hack.gr/users/atlantis/unixpasswd.html WEP keys need to be kept even more secure than you do passwords. You may want to read: http://wepcrack.sourceforge.net/ http://airsnort.shmoo.com/ OK so wep has problems. That's not the point. No security system is perfect only a set of barriers to prevent inadvertant breaches or to slow down attackers. If it takes a day or two of sniffing to hack the wep code that is a barrier. Besides as the wifi security standards improved wouldn't you want have laid the foundation for that to sit on. Instead of throwing up your arms and saying, well there is no point since it has been hacked? I'm noting that redhat is wasting its time having this page on a https site since that can be cracked too. Back to my main point. I'm in a real corporate environment (6000 employees) and clear text key storage is not acceptable by the IT department. I would assume the same for many others. Assigning to kernel, then. root will easily be able to get a plaintext key without kernel changes. Please read the documentation about how WEP works. It needs the key in the clear to do encryption in the first place. No OS keeps WEP keys somehow magically safe. The only stuff that uses smart cards I know doesn't use WEP. |