How to change encryption key?
jnw "at" realvnc.com
Wed Nov 24 17:29:01 2004
Changing the encryption key of the password stored in the registry will
provide a false sense of security, since anyone who can read it will be able
to brute-force attack it in order to work around you having changed the
obfuscation key. It can't be read by sniffing the network since the VNC
Authentication scheme is challenge-response, and so never actually sends the
password, encrypted or otherwise.
Under NT/2K/XP, VNC 4 assigns the registry permissions of the password key
to be accessible only to the SYSTEM account, and to members of the
Administrators group. If you don't already trust both of those then having
them unobfuscate the VNC password is probably the least of your problems!
Under Linux, a user's password is stored obfuscated in ~/.vnc/passwd, and is
only readable/writable by that user, so no-one else can read & unobfuscate
it unless those permissions are changed or some other security breach has
The need for these passwords to be stored at all dissappears if local user
account authentication is used, as is available in VNC Enterprise Edition.
Wez @ RealVNC Ltd.
> Hey list,
> I am currently running VNC on a number if different systems,
> both Windows based and Linux based. As many of these systems
> contain sensitive data, I'm looking to make them as secure as
> possible, while still keeping VNC on them. However, from what
> I've read, VNC uses the same key to encrypt all passwords,
> and that this key is easily obtainable, making it relatively
> easy to decrypt the password if someone happens to sniff it
> out in encrypted form. So, what I'd like to do is change the
> key used to encrypt passwords, and then set up the passwords
> on these systems again. Trouble is... I haven't had any luck
> finding out how to do this. Can anyone enlighten me on this?
> Ideally, I'd like to do it to all machines and both platforms.
> Thank you,