CS401 Cyber Security Spring 2008 LibPurple/Pidgin Password Plugin Jonathan Blount Charles Tullock C. Shaun Wagner.

CS401 Cyber SecuritySpring 2008

LibPurple/PidginPassword Plugin

Jonathan Blount Charles Tullock C. Shaun Wagner

Introductionto

LibPurple

Charles Tullock

What is LibPurple?Open Source Library in C

Instant Messaging Routines

Account Management

LibPurple IntroductionLibPurple Introduction

What is LibPurple?Protocols: AIM, ICQ, Jabber/XMPP, MSN Messenger, Yahoo!, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, QQ,

Lotus Sametime, SILC, SIMPLE, MySpaceIM, Zephyr


What is Pidgin?One application, multiple protocols

simultaneously

Windows and *nix

Default IM program on many *nix platforms


Usage of LibPurple

Adium MeeboApollo IM OpenWengoEQO PidginFinch ScatterChatInstantbird Telepathy-Haze


Password StoragePasswords in accounts.xml (plain text)

Developers choose no security as opposed to false security.


Password OptionsSecurity by obscurity

Control access to plain text file

Encrypt password behind a password


Password Behind a PasswordKDE Wallet

Windows: LibCrypt, Credential ManagementGnome Keyring Service

3rd Party Applications


Platform Independent Pluginplugin_encrypt_passwords

Encrypts all passwords stored in plain text.Removes passwords from plain text after

encryption.



plugin_fetch_passwordsUsed to fetch passwords for all accounts

before accounts connect to messaging services.



plugin_fetch_passwordsplugin_decrypt_passwords

Decrypt all encrypted passwords and place them in the plain text accounts file.


Plugin ImpactLibPurple applications are more secure

Same password for multiple systems

Indirect vulnerabilities


Questions?


KWallet Pluginfor

LibPurple (Pidgin)

C. Shaun Wagner

KWallet is a credentials management application for the K Desktop Environment

(KDE).

KWallet is the preferred method for saving passwords in KDE.

KWallet PluginKWallet Plugin

KWallet Features

Password behind a password encryption

Warns users when programs access passwords

Users may easily manage encrypted data


Implementing KWallet

Direct API implementation

Messaging bus implementation:

DCOP for KDE3

D-BUS for KDE4


Goals

Save passwords in KWallet when requested

Fetch passwords from KWallet as needed

Save passwords in plain text when requested


Goals

Code should be as simple as possible

Code should compile using default makefile

Plugin should work in KDE3 and KDE4


LibPurple and KWallet

do not integrate easily


Problem

LibPurple plugins must be written in C

KWallet applications must be written in C++


Problem

LibPurple plugins must be written in C

KWallet applications must be written in C++

Solution

Wrap required C code in extern “C”


Problem

KWallet plugin requries Qt headers and compilation with a C++ compiler


Problem

KWallet plugin requries Qt headers and compilation with a C++ compiler

Solution

Redefine compiler and header includes on the command line for make


Problem

LibPurple is a GTK+ application

KWallet is a Qt application

GTK+ is incompatible with Qt in many ways


Problem

GTK+ is incompatible with Qt in many ways

Solution

Manually translate GTK+ types to and from Qt types. Example:

Convert gchar* to char* to QString


Compiling

Included all Qt libraries

Converted values between GTK+ and Qt

Wrapped C code in extern “C”

Compiled with C++ compiler


Segmentation Fault

KWallet must have a parent Qt application


Segmentation Fault

KWallet must have a parent Qt application

Solution

Create an empty (and invisible) KApplication

which is the parent class for all KDE/Qt applications


Segmentation Fault

KWallet cannot open the default wallet


Segmentation Fault

KWallet cannot open the default wallet

Solution

Undocumented: The lkwalletclient library must be linked when compiling


Segmentation Fault

KApplication and KWallet cannot be re-instantiated inside of functions


Segmentation Fault

KApplication and KWallet cannot be re-instantiated inside of functions

Solution

Make both KApplication and KWallet global


Beta Test

Encrypt Passwords


Beta Test

Encrypt Passwords

Successful

All passwords were removed from the plain text file and placed in KWallet


Beta Test

Fetch Passwords

Successful

All passwords were fetched and attached to the accounts before the accounts

connected to the messaging services


Beta Test

Decrypt Passwords


Beta Test

Decrypt Passwords

Successful

All passwords were removed from KWallet and placed in the plain text file


Beta Test

KDE3 and KDE4 test

Successful

Plugin performed properly in both KDE3 and KDE4 using Pidgin 2.4


Note on D-BUS

D-BUS is standard application communication service in KDE4

LibPurple has D-BUS functionality in the plugin API


Questions?


Windows Pluginfor

LibPurple (Pidgin)

Jonathan Blount

Password Management

Credential Manager

Hard to integrate

Easily hacked

Windows PluginWindows Plugin

Password Management

CryptoAPI

Windows 2000

Data Protection API

Crypt32.dll library

More secure


DPAPI

Functions

CryptProtectData

CryptUnprotectData


DPAPI

Optional Entropy

Only a user with the same logon credentials as the encrypting user can decrypt the

data


DPAPI


Environment

Pidgin/LibPurple on Windows using Cygwin

Written in C and makes heavy use of Glib (GTK++)

Link to Windows libraries


Environment

No external password management program

Debugging


DLL Loading

Load external library

Create the handle to the DLL

Free the library when done

Set pointer to NULL


Encryption


Storing Binary in Text File

Convert a byte array to a string

Visual C# is one line of code


Storing Binary in Text File

Convert a byte array to a string

C is over 20 lines of code


Decryption


Fetching Passwords

Straightforward

Decrypt Passwords

Load Accounts


Beta Testing

Encrypting Passwords: Success

Fetching Passwords: Success

Decrypting Passwords: Success


Questions?


Demo

LibPurple PluginLibPurple Plugin

KWallet Pluginfor

LibPurple (Pidgin)

C. Shaun Wagner

Windows Pluginfor

LibPurple (Pidgin)

Jonathan Blount

CS401 Cyber Security Spring 2008 LibPurple/Pidgin Password Plugin Jonathan Blount Charles Tullock C. Shaun Wagner.

Documents

kde4kwallet plugin libpurple

zephyrlibpurple introduction

encrypted datakwallet

libpurple pidgin

encrypted passwords

requestedfetch passwords

neededsave passwords

plain text accounts