0xpoly / centry Goto Github PK

How do I use this on Windows?

I'm getting this when trying to run Centry as root:
Process Process-2:
Traceback (most recent call last):
File "/usr/lib/python3.2/multiprocessing/process.py", line 267, in _bootstrap
self.run()
File "/usr/lib/python3.2/multiprocessing/process.py", line 116, in run
self._target(_self._args, *_self._kwargs)
File "./centry.py", line 240, in start
title["font"] = ('',32,'bold')
File "/usr/lib/python3.2/tkinter/init.py", line 1227, in setitem
self.configure({key: value})
File "/usr/lib/python3.2/tkinter/init.py", line 1220, in configure
return self._configure('configure', cnf, kw)
File "/usr/lib/python3.2/tkinter/init.py", line 1211, in _configure
self.tk.call(_flatten((self._w, cmd)) + self._options(cnf))
_tkinter.TclError: expected integer but got "bold"

An attacker who can MITM the connection can obtain password hashes that they can crack offline, or replay the traffic for undesirable consequences (separate issue).

Might be possible to use this:
https://pypi.python.org/pypi/Dtls/0.1.0

Some sort of real authentication with secrecy and integrity checking would be better.

Tried with default python (2.7.5) , fails to find tkinter (locgical since Tkinter uppercase was before 3.x)
Tried with brew installed python 3.4.1 , just getting "WARNING: FAILED TO BIND TO UDP SOCKET." and nothing else
Tried with official installer installed python 3.4.1 , same warning and nothing happens

Am I missing something ?

A number of issues:

1. still vulnerable to replay attack, just limited to current minute.
2. won't work if triggered from devices out of sync
3. won't work if triggered from remote device in different timezone
4. allows an attack who can sniff traffic to be able to capture the hashed pass+time and crack it offline to reveal the password. Just takes longer, probably.

Any issue which will cause this to not work is a serious vulnerability, as someone could have an attacker actively breaking into the device, and this would offer no real protection. Someone intending to use this and finding it not work in the last minute has very dangerous consequences.

May be fixed with end-to-end encryption, but don't roll your own crypto.

I noticed that there is no mention of authentication anywhere in this. What steps have you or are you going to take to prevent this from being triggered by someone not of your own?