>
> 3. Usernames and passwords are encrypted if the user select "Encrypt
> Sensitive
> Information". (But forms are not encrypted). The encryption of the passwords
> uses a fixed triple-DES key. The key used for encryption is itself encrypted
> by
> a 'PBE key' and is stored in key3.db. A PBE key uses a password, which is
> chosen by the user, and would be the user's master encryption password.
>
> 4. To attack key3db, an attacker would need to
> - know the users's master encryption password
> - have access to *.s (the users's password file)
>
> Are those above correct ? If so, I still have some (last) questions and
> problem,
> as follows:
> Regarding no 3, so where is the user's master encryption password itself is
> stored ? in key3.db as well ?
>
The answer to that question is in (3). The PBE key is generated from
the "master encryption password", which like all passwords is (or should
be) stored in the user's head. It is not physically stored on the
computer anywhere (unless the user makes the egregious error of keeping
the password in a text file). Therefore the strength of the password is
proportional to the user's ability to choose a strong password and keep
it a secret.
>
> Is there any documents about key3.db and cert7.db ?
See http://www.mozilla.org/projects/security/pki/nss/db_formats.html for
a brief description.
-Ian
