![]() ![]() The problem is you can't necessarily have confidentiality without integrity. To the many readers of this thread who believe they don't care about the integrity of their password vault, just its confidentiality: I don't know that an HN thread is the best venue to discuss crypto design flaws (you might be better off writing a POC of some kind and then publishing that), but yes, it is a little disquieting to see a sensitive application using AES without an authenticator. I thank all contributors for making/improving it over the years. None of this detracts from the fact that KeePass is a very useful, free utility with a lot of effort put into it. Has anyone ever done a security audit of KeePass 2.x or does everyone just believe that it's "good enough"? They can't even implement a Singleton correctly (see CryptoRandom.cs). There are many other questionable patterns, code smells, and "I-invented-it" approaches that indicate a non-expert. Return false if one of them is null (not comparable)! Public static bool ArraysEqual(byte x, byte y) KeePass likely does not have an online threat model, so attacks like Padding-Oracle might not be applicable, but a lack of AEAD is IMHO highly concerning because it indicates that the author(s) are winging it when it comes to doing crypto right.īyte array comparisons are done with this function from MemUtil.cs: Even if the hashes are used prior to encryption, that's still MtE - not EtM. There are SHA2 hashes that seem to guard the integrity of ciphertext, while these might catch a typical file corruption they will not prevent malicious tampering. HMAC is nowhere to be found in the code, other than when used for sha1-totp. The kdbx database is encrypted with AES in CBC/PKCS7 mode without proper authentication. NET source code today and quickly noticed the following issues which I find quite concerning: ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |