User:Minshy99/sandbox

KDE Wallet Manager
	A screenshot of KWalletManager 21.12.0
Developer(s)	KDE
Stable release	21.12.3 2022-03-03
Repository	github.com/KDE/kwallet
Written in	Mainly C++ (Qt), some C
Operating system	Cross-platform
Type	Password manager; Linux on the desktop;
License	Various LGPL
Website	apps.kde.org/kwalletmanager5/

KDE Wallet manager (KWallet) is free and open source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on Linux-based OS and It's main feature is storing encrypted passwords in KDE Wallets.^[1]

Installation

KDE Wallet Manager (KWallet) requires Linux-based OS and the KDE Software Compilation desktop environment such as Kubuntu.^[2]

Browser extensions

KDE Wallet manager (KWallet) can be integrated with various web browsers inluding Chrome, Firefox, Opera, and Edge.

Standalone addon is also available in Firefox. This addon allows user to store passwords internally through KDE Wallet manager (KWallet) instead of default Firefox password manager.

Konqueror, the official web browser of the K Desktop Environment (KDE) features KDE Wallet manager (KWallet) to store sensitive passwords encrypted.^[3]

Example code to retrieve data from the KWallet

int main()
{
 int rc;
 DCOPClient* dc = new DCOPClient();
 if ( ! dc->attach() )
 {
 fprintf(stderr, "DCOP Attach Failed");
 return 16;
 }
 KWallet::Wallet* wallet = KWallet::Wallet::openWallet("test-wallet");
 if ( wallet == NULL )
 {
 printf( "Open Wallet Failed\n" );
 return 17;
 }
 if ( ! wallet->hasFolder("Passwords") )
 return 18;
 if( 0==wallet->setFolder("Passwords") )
 return 20;
 QString s = QString();
 rc = wallet->readPassword( "test", s );
 if ( rc == 0 )
 printf( "-->%s<--\n", s.ascii() );
 return 0;
}

^[4]

API

KDE Wallet Manager’s APIs trigger authentication events when the application makes a request through Desktop Communications protocol (DCOP), which is KDE’s primary interprocess communication (IPC) mechanism, which causes a password dialog box to be displayed for the application. This causes the password dialog box to be launched by the KDE daemon process. User can choose either to cancel the dialog box which will terminate the application or to fill the password box in. If password box is filled, the Wallet will automatically open. KDE Wallet Manager’s Desktop communications protocol (DCOP) can only be accessed locally because it is an interpocess communication (IPC) protocol that is processed over UNIX local sockets.^[4]

GUI

On KDE Wallet Manager’s GUI, user can manage every Wallets and passwords assigned to them.

KDE Wallet Manager allows user to save or delete Wallets and user can identify which wallet applications should look in when attempting to access a stored password.^[4]

Wallets

The Wallet is a term of password storage used in KDE Wallet Manager software. Wallets can be created manually by user or It is offered by dialogue when user enters in password on any KDE desktop environment or websites. Once created, Wallet can store various passwords and It is controlled by one master password. This way users do not have to remember various passwords, instead they can just manage them by memorizing one master password for the wallet. The default Wallet is named “kdewallet” and users can create more of their own if needed.

Encryption of the password

The data stored by KDE Wallet manager can be encrypted in two major ways. The GNU Privacy Guard (GnuPG or GPG) algorithm is used if GnuPC Made Easy library is installed on the user’s Linux-based OS. If not, Blowfish symmetric block cipher algorithm is used.^[5]

Blowfish symmetric block cipher algorithm

KDE Wallet manager encrypts the data stored in wallet using the Blowfish symmetric block cipher algorithm in CBC mode. To protect the user’s information, blowfish encrypted data is authenticated with SHA-1 hashing algorithm.

KDE Wallet manager’s blowfish encryption provides faster encryption compared to Khufu, RC5, DES, IDEA, Trip-DES. Blowfish encrypts at a rate of 18 clock cycles per byte in 32-bit microprocesses.

KDE Wallet manager’s Blowfish algorithm can be executed in memory within 5k, and a simple structure is easy to implement and easy to determine the strength of the algorithm. The algorithm is variable in key length, which can be long as 448 bites and it allows basic word addition and bit XOR operations.^[6]

GNU Privacy Guard encryption

User can create a GNU Privacy Guard (GnuPG or GPG) based wallet to store extra sensitive passwords. This requires users to install GnuPG Made Easy library. If the library is installed and once the software found GNU Privacy Guard (GnuPG or GPG), users will be asked to choose a key to use for a new wallet.^[5]

Vulnerabilities

SHA-1 hash function that is used in KDE Wallet manager (KWallet) is cryptographically broken. Google and CWI Amsterdam have proved that two identical SHA-1 digest displays two different PDF content. Various Companies including Microsoft has discontinued SHA-1 supports however KDE Wallet manager (KWallet) uses SHA512 in versions higher than 4.13 or with Pluggable authentication module or it uses SHA-1 hash function.^[7]
"kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack."^[8]
"fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of a password."^[9]
"kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack."^[10]

Reference

^ Zhang, Jie; Luo, Xin; Akkaladevi, Somasheker; Ziegelmayer, Jennifer (2009-04). "Improving multiple-password recall: an empirical study". European Journal of Information Systems. 18 (2): 165–176. doi:10.1057/ejis.2009.9. ISSN 0960-085X. {{cite journal}}: Check date values in: |date= (help)
^ Gray, Joshua; Franqueira, Virginia N. L.; Yu, Yijun (2016-09). "Forensically-Sound Analysis of Security Risks of Using Local Password Managers". 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW). Beijing, China: IEEE: 114–121. doi:10.1109/REW.2016.034. ISBN 978-1-5090-3694-3. {{cite journal}}: Check date values in: |date= (help)
^ Grosskurth, A.; Godfrey, M.W. (2005). "A reference architecture for Web browsers". 21st IEEE International Conference on Software Maintenance (ICSM'05). IEEE. doi:10.1109/icsm.2005.13.
^ ^a ^b ^c Mulligan, J.; Elbirt, A. J. (2005-05). "Desktop Security and Usability Trade-Offs: An Evaluation of Password Management Systems". Information Systems Security. 14 (2): 10–19. doi:10.1201/1086/45241.14.2.20050501/88289.3. ISSN 1065-898X. {{cite journal}}: Check date values in: |date= (help)
^ ^a ^b Dudášová, Ludmila; Vaculík, Martin; Procházka, Jakub (2021-12-29). "Psychologický kapitál v pracovní, klinické a školní psychologii: přehledová studie". Ceskoslovenska psychologie. 65 (6): 558–574. doi:10.51561/cspsych.65.6.558. ISSN 0009-062X.
^ Mousa, A. (2005). "Data encryption performance based on Blowfish". 47th International Symposium ELMAR, 2005. IEEE. doi:10.1109/elmar.2005.193660.
^ Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik (2017), "The First Collision for Full SHA-1", Advances in Cryptology – CRYPTO 2017, Cham: Springer International Publishing, pp. 570–596, ISBN 978-3-319-63687-0, retrieved 2022-04-14
^ "CVE-2018-10380 : kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack". www.cvedetails.com. Retrieved 2022-04-14.
^ "NVD - CVE-2020-12755". nvd.nist.gov. Retrieved 2022-04-14.
^ "NVD - CVE-2013-7252". nvd.nist.gov. Retrieved 2022-04-14.

Cite error: There are <ref group=lower-alpha> tags or {{efn}} templates on this page, but the references will not show without a {{reflist|group=lower-alpha}} template or {{notelist}} template (see the help page).

[2] Zhang, Jie; Luo, Xin; Akkaladevi, Somasheker; Ziegelmayer, Jennifer (2009-04). "Improving multiple-password recall: an empirical study". European Journal of Information Systems. 18 (2): 165–176. doi:10.1057/ejis.2009.9. ISSN 0960-085X. {{cite journal}}: Check date values in: |date= (help)

[3] Gray, Joshua; Franqueira, Virginia N. L.; Yu, Yijun (2016-09). "Forensically-Sound Analysis of Security Risks of Using Local Password Managers". 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW). Beijing, China: IEEE: 114–121. doi:10.1109/REW.2016.034. ISBN 978-1-5090-3694-3. {{cite journal}}: Check date values in: |date= (help)

[4] Grosskurth, A.; Godfrey, M.W. (2005). "A reference architecture for Web browsers". 21st IEEE International Conference on Software Maintenance (ICSM'05). IEEE. doi:10.1109/icsm.2005.13.

[:0-5] Mulligan, J.; Elbirt, A. J. (2005-05). "Desktop Security and Usability Trade-Offs: An Evaluation of Password Management Systems". Information Systems Security. 14 (2): 10–19. doi:10.1201/1086/45241.14.2.20050501/88289.3. ISSN 1065-898X. {{cite journal}}: Check date values in: |date= (help)

[:1-6] Dudášová, Ludmila; Vaculík, Martin; Procházka, Jakub (2021-12-29). "Psychologický kapitál v pracovní, klinické a školní psychologii: přehledová studie". Ceskoslovenska psychologie. 65 (6): 558–574. doi:10.51561/cspsych.65.6.558. ISSN 0009-062X.

[7] Mousa, A. (2005). "Data encryption performance based on Blowfish". 47th International Symposium ELMAR, 2005. IEEE. doi:10.1109/elmar.2005.193660.

[8] Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik (2017), "The First Collision for Full SHA-1", Advances in Cryptology – CRYPTO 2017, Cham: Springer International Publishing, pp. 570–596, ISBN 978-3-319-63687-0, retrieved 2022-04-14

[9] "CVE-2018-10380 : kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack". www.cvedetails.com. Retrieved 2022-04-14.

[10] "NVD - CVE-2020-12755". nvd.nist.gov. Retrieved 2022-04-14.

[11] "NVD - CVE-2013-7252". nvd.nist.gov. Retrieved 2022-04-14.

[a]

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

v t e Password managers
Proprietary	1Password Apple Passwords Dashlane Enpass Intuitive Password Keeper LastPass Microsoft Autofill Myki NordPass Pleasant Password Server RoboForm SafeInCloud
Open source	Bitwarden Factotum GNOME Keyring KeePass KeePassXC KeeWeb Keychain KWallet OnlyKey Pass Password Safe Seahorse
Discontinued	Encryptr Firefox Lockwise Gator eWallet KeePassX KYPS Mitro Offer Assistant
Category List of password managers