GNOME Bugzilla – Bug 656955
Implement GcrSecretExchange
Last modified: 2019-02-22 11:58:40 UTC
GcrSecretExchange is an API which models the method we use for transferring passwords across dbus and other exposed places. We've been doing this in gnome-keyring for some time now and this just exposes it for use elsewhere. I want to use this to implement the Gnome Keyring DBus Prompting API. See bug #656954. We use DH and AES to keep passwords safe going through exposed places. This is not safe against active attacks like MITM, but does solve problems with dbus calls, logging, use of pageable memory, and calls through VM type languages with unpredictable memory behavior. The method uses a single request/response: 1. Caller sets up half of a DH key agreement context, and sends public parameter along with request to the Callee. 2. Callee sets up its half of DH key agreement. Callee completes DH using public parameter from Caller. Callee encrypts password response, and sends the encrypted response, and its public parameter back to Caller. 3. Caller complets DH using public parameter from Callee, and decrypts the password. This is similar to what's used in the Secret Service API. However in that API we do things in a more persistent way, so that we're not constantly doing DH for each call.
Created attachment 194291 [details] [review] gcr: Implement GcrSecretExchange * Class which allows exchanging secrets over an unsecure or logged channel. * Does *NOT* protect against active attacks like MITM. Work needed: * Unit tests * Perhaps use same object on both sides, so we can keep context.
Completed additional work. Branch available here: http://cgit.collabora.com/git/user/stefw/gnome-keyring.git/log/?h=secret-exchange
Created attachment 194457 [details] [review] Implementation, tests and documentation Completed patch
This is going to be merged once we branch for Gnome 3.2.
Integrated into gnome-keyring-daemon so that the prompting there uses this secret exchange mechanism. Merged into git master.