Bug 120843 – Clear key storage is security problem

Bug 120843 - Clear key storage is security problem

Summary:	Clear key storage is security problem

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	kernel (Show other bugs)
Sub Component:
Version:	1
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Arjan van de Ven
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2004-04-14 10:10 EDT by Sepehr
Modified:	2007-11-30 17:10 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-05-02 20:56:26 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sepehr 2004-04-14 10:10:46 EDT

Description of problem:
I filed a bug under the redhat-config-network but rejected because it
appears to belong here (see issue 20731). Basically our corporate
systems person refuses to setup my wireless because as he puts it she
puts it she could lose her job. Main reason is that the wep key is a
highly guarded code here. If they set up my laptop I can see the key
just by opening any of the wireless network configuration utiltities
or just running iwconfig as root. Since root access is required for me
and others to do our work this is a serious security problem.
Therefore, the wep key must be encripted on the system as it is in
other os's.

Comment 1 Bill Nottingham 2004-04-14 15:50:58 EDT

If you're root, you'll always be able to get it.

Comment 2 Sepehr 2004-04-14 16:49:31 EDT

Not true!! If you do one way encription like the /etc/passwd file it
is very secure. Look at:

http://www.hack.gr/users/atlantis/unixpasswd.html

WEP keys need to be kept even more secure than you do passwords.

Comment 3 Bill Nottingham 2004-04-14 17:10:43 EDT

You may want to read:

http://wepcrack.sourceforge.net/

http://airsnort.shmoo.com/

Comment 4 Sepehr 2004-04-15 16:19:06 EDT

OK so wep has problems. That's not the point. No security system is
perfect only a set of barriers to prevent inadvertant breaches or to
slow down attackers. If it takes a day or two of sniffing to hack the
wep code that is a barrier. Besides as the wifi security standards
improved wouldn't you want have laid the foundation for that to sit
on. Instead of throwing up your arms and saying, well there is no
point since it has been hacked? I'm noting that redhat is wasting its
time having this page on a https site since that can be cracked too.

Back to my main point. I'm in a real corporate environment (6000
employees) and clear text key storage is not acceptable by the IT
department. I would assume the same for many others.

Comment 5 Bill Nottingham 2004-04-15 16:31:12 EDT

Assigning to kernel, then.

root will easily be able to get a plaintext key without kernel changes.

Comment 6 Ralf Ertzinger 2004-04-28 12:47:23 EDT

Please read the documentation about how WEP works. It needs the key in
the clear to do encryption in the first place.

Comment 7 Alan Cox 2004-05-02 20:56:03 EDT

No OS keeps WEP keys somehow magically safe. The only stuff that uses
smart cards I know doesn't use WEP.

Note You need to log in before you can comment on or make changes to this bug.