It almost certainly works by attacking the key3.db. If it works in any other way, then there is something seriously flawed with the SDR code. The weak link in this case is the choice of password for key3.db. Since humans tend to pick a finite (small) number of possible passwords, it's much easier to try to guess the password they picked and test that then it is to test every possible DES3 key combination.
Jas wrote on Mon, 10 May 04, 8:37 PM: > "Robert Relyea" <[EMAIL PROTECTED]> wrote: > > > If the passwords in xxxxxxx.s were encrypted (not obscured), then the > > data is losted (unless you have a way of attacking DES3). The > > passwords are encrypted with a fixed random key, which itself > > encrypted with the master password and stored in key3.db. This > > prevents offline attacks against just the .s files. > > > > bob > > Any chance of explaining the idea of attacking DES3? I've seen that there's > an expensive piece of software out there that claims to to a dictionary > attack on encrypted .s files, but I can't tell if that requires a good > key3.db, and it's only for people who've forgotten their passwords. I'm > lucky in that I'd actually just printed out all of my usernames and > passwords using the new Mozilla password reveal feature. Might be a lot of > hand re-entering. Thanks. If you are ambitious you could write a program that uses the SDR utility (or library) to take your decrypted output and produce new .s files with the passwords encrypted with your new SDR key. One feature we seem to be missing is the ability to backup your SDR key. bob _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
