New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security hardened sandboxes (with encrypted sandbox content and credentials) will most likely fail to operate after setting a (very long) password, and will cause Sandboxie-Plus to crash in a small case #3639
Comments
(This should not happen.) Just for reference, how many characters were required for you to notice this? So if someone is going to test it, he'd know how long the password needs to be. How long is long? |
In this case, I used 256 uppercase and lowercase letters, English symbols (e.g.; ',./[]) |
I see I'll add the upper length limit in the next build its 128 chars IIRC |
I have an idea if I can raise this limit (e.g. to 256 or more or even infinity), and if not, why? |
What part imposes the limit of 128 characters? |
The DiskCryptor code used for encryption uses this limit this could be changed to an other value, resulting only in a slightly higher memory usage. But 128 chars should be plenty long anyways, this length permits approximately 384 bits of entropy with a passphrase composed of actual English words, increases to 512 bits with the application of L337 speak modifications, and exceeds 768 bits when composed of entirely random printable ASCII characters. Given that the encryption uses AES256 there is no benefit of having a passphrase with more entropy than that. Also remember that even 128 bit is not bruteforceable, even at the Landauer limit and assuming that to test one key only one bit needs to be flipped (which is not the case it needs many many thousands of bit flips to test any given key), the energy requirement would be 10^18 Joule to put this into perspective the entire output of the sun is 3.8*10^26 Joule/Second. For 256 bit the energy requirement is 3.310^56 Joule to put this into perspective, Long story short I think 128 chars is more then enough and we don't need to change this. |
Describe what you noticed and did
1,Create a security hardened sandbox
2,Tick the Encrypt sandbox content and set credentials option
3,Set a (very long) password
4,Try to run something, and then you may come across the Create a new sandbox disk image menu again.
5,After re-entering the (previous) (very long) password, the sandbox does not work
How often did you encounter it so far?
Whenever I do the above action
Expected behavior
Security hardened sandboxes works properly.
Affected program
Everything (Sandboxie-Plus itself)
Download link
Not available.
Where is the program located?
Not relevant to my request.
Did the program or any related process close unexpectedly?
Yes, it did. I'm going to share the .dmp file(s) in a later comment.
Crash dump
https://f.ws59.cn/f/dh2lf8ka29l (Valid for 24 hours, if expired, please comment below)
What version of Sandboxie are you running now?
Sandboxie-Plus 1.13.0 64-bit
Is it a new installation of Sandboxie?
I just updated Sandboxie from a previous version (I remember which one it is).
Is it a regression from previous versions?
Maybe 1.12.7
In which sandbox type you have this problem?
In a security hardened sandbox (orange sandbox icon).
Can you reproduce this problem on a new empty sandbox?
I can confirm it also on a new empty sandbox.
What is your Windows edition and version?
Windows Home China 21H2 64-bit
In which Windows account you have this problem?
A local account (Administrator).
Please mention any installed security software
Microsoft Defender Antivirus,360 Total Security
Did you previously enable some security policy settings outside Sandboxie?
No response
Trace log
Sorry, I can't open the website.
Sandboxie.ini configuration
The text was updated successfully, but these errors were encountered: