Hacker News new | ask | show | jobs
by tptacek 4792 days ago
I haven't reviewed KeePassX but they've published a bit about their encryption. They say they're using AES-CBC with random IVs, generated each time the database is updated. You should be fine keeping it versioned.

Three scenarios in which it would be potentially unsafe to keep a versioned password database, from worst to least-worst:

* Had they used AES-CTR with a fixed key and nonce --- a surprisingly common design, unfortunately --- then every save they did would create a chunk of ciphertext encrypted under the same keystream as some previously versioned chunk. This is fatal to the security of AES-CTR; it is a failure mode that keeps me from recommending AES-CTR. (Similar problems exist for the other stream modes).

* Had they used AES-ECB --- ie, the default mode of most AES libraries --- every repeated chunk of 16 bytes would be evident in the ciphertext of the database, and, worse, the versioned copies would likely create variants of that data at different offsets. Combined with known plaintext (maybe there's some in the KeePassX headers?), this could set up an attack, albeit a very elaborate one that would require lots of changes to the database.

* Had they used AES-CBC with a fixed IV, instead of generating it randomly every time the database was updated, they'd have the ECB problem on first blocks of each message. Messing up the CBC IV is a very big problem in online systems where attackers can take many thousands of bites at the apple and adapt their inputs in response to what the target does, but it's less of a problem in offline systems like KeePassX and would have been a mostly theoretical problem.

The bigger problem with KeePass is that it doesn't see to do a good job of deriving keys from passphrases (as documented, it uses salted SHA-256). Maybe that's changed since their security page was authored, but that problem would keep me from putting a KeePass database on any machine I didn't control.
1 comments
pfg 4792 days ago
Is the key derivation bad because of SHA-256, or because it is too fast/easy to brute-force? According to the security page, they do 6000 (AES) encryption rounds on the key after hashing it (6000 by default, you can increase the work factor). So I guess this is comparable to what bcrypt/scrypt does?

(There's something on the security page saying that KeePassX (as opposed to KeePass) only partially supports this, though.)

link