I notice that the "change-password" function of yourbank.com is accidentally being served over HTTP instead of HTTPS. I just need to trick you into changing your password.

I have access to your kdbx db (ex. you sync to Dropbox and I'm Dropbox employee). I can alter the kdbx file to change your password so that it is no longer valid. KeePass doesn't complain at all.

You have a WTF moment and try to change your password over HTTP, while I inspect network packets and grab your new password.

You say "this is far-fetched, non-realistic scenario". I say "this is poor crypto design".

If you're able to inspect the network packets and the page is over HTTP, then KeePass doesn't even matter at that point. It's game over right there.

Wait, you just inserted an invalid password in my database, how do I change my password? Hell, the only way I'll even realize something's wrong is by trying to log in in the first place, and, if you can see my connection, why would you have me enter a wrong password, rather than the right one?

Because the main login is HTTPS-secure (I would hope - for a bank), but the change-password feature is not.

Oh, you mean the account recovery page, not one that requires the old password to change to a new one. I see.

I think he's suggesting that you happen to actually know the right password, and will attempt to enter it after the failed keepass attempt? But then, if you know the right password, you could also visually inspect the keepass data to know it was wrong.

> I can alter the kdbx file to change your password so that it is no longer valid.

How are you generating a kdbx file that has the record where they think it is? The entire file is encrypted en-mass except the header.

You can certainly make a kdbx file that KeePass will open, but it is impossible to make one that will fool the user without more than enough information to just compromise the database.

I have a private server in a datacenter that I put together myself. I use sftp to download/upload my keepass file, I also use a keyfile that stays local and a password for auth. What is the attack vector there?

You store u/p to your Lawyer's website, which has a copy of your Will. You die and the Executor of your Estate tries to access the Lawyer's website, only to be met with "invalid password".

It turns out that the kdbx on your private server got silently corrupted (ex. fs corruption) ~5 years prior to your death. However, your Dropbox backups only have 30 days of previous kdbx versions.

Can your Executor handle the disappointment?

I believe this issue is grave enough.

How are they cracking the 40+ char random alpha numeric password on my box? With fail2ban in place, and it's on a random port.

That answer does not inspire confidence.

1) Random port is not helping against a specific attacker. Get a real firewall 2) Fail2ban is not a real firewall 3) Keys only, no passwords. 40chars is nothing compared to a strong rsa key with a 40char password on it

Wfc.help go ahead and try.

The array comparison? It's literally the textbook example of a timing sidechannel.

Though I won't speculate if it's a real problem here, since I have no idea what data is being compared.

I must admit, I can't immediately see the problem with leaking timing data.

The client (that decrypts the password database) runs on your local computer, and typically places clear-text-passwords into the clipboard during normal use. So if your local computer is compromised you have way bigger problems than timing attacks.

Me neither, I just tried to explain what the other poster /probably/ meant.

It does have a mode that allows you to avoid clipboard sniffers if the program you are targeting supports it.

However most attack vectors on the local machine can usually get a hold of both keyboard and clipboard data making it impossible to prevent sniffing, but that does assume a sophisticated sniffer.

The vast majority of modern malware no longer monitors either the clipboard OR keyboard. It hooks right into the browser or sometimes network stack.

So when you submit a form the malware records what was in the form and just as important where that form was submitted to (i.e. what URL).

Without context (the where) the information (the what) is near worthless. Aside from toy malware nobody actually logs keys anymore, the term "keylogger" is just a word, it isn't literal.

Source: I have looked at the leaked source of commercial (in the black market) malware. A core part of this malware is automation for resale, nobody is going to read through hundreds of pages of someone's clipboard and keystrokes to figure out what page they're on, and it is by far a more difficult route than just breaking into the browser, hooking Win32 functions, or hooking into the network stack before encryption occurs.

Do you care about that kind of side channel for an offline vault?

If your adversaries are on your box while you operate your vault, then you have already lost because they will also have keyloggers, strace, etc.

What if they hack your dropbox account and get a copy of the vault that way? They're not on your box, but now they can try to break into your vault.

Well, the decryption code is open source. And they have the ciphertext. So what does a timing attack give the attacker?

If keeppass removes the possible timing attack, the attacker could just add it back in and use their own client, if they have a copy of your database.

Then a timing side channel is not relevant, because they won't be watching you operate the vault. Right?

Why be OK with bad crypto?

Even if it's the password, it's not a server/client scenario, or interactive authentication, so why would we care about a timing attack?

The problem is that it's usually not true that you can have confidentiality without integrity, because of chosen ciphertext attacks.

Confidentiality isn't your only concern. You should also be worried about integrity and availability. From "On The Security of Password Manager Database Formats":

  Unfortunately, [KDBX4] introduces new vulnerabilities.
  Similarly to KDB, the main problem of this format is
  the lack of authentication of *hdr*. As such, is it
  susceptible to modifications... This modification is
  not detectable by the password manager... if a user
  alters, and then saves, a corrupted database, all
  passwords previously affected by the attack are lost
  forever.

  This attack highlights a remarkable design flaw. Even
  an accidental bit-flip in the *pskey* field, e.g., due
  to a transmission error, cannot be detected, and leads
  to complete corruption of the database. Such
  corruption is unlikely to be immediately detected by
  users, who may subsequently add new entries. Over time,
  the database will be composed of both correct and
  corrupted entries, making it difficult to reconstruct
  the damaged records from a backup.

Which reminds me - I need to migrate back to Password Safe as soon as possible.

Confidentiality is my only concern in the case of malicious modification. Remember, that availability and integrity of your database can be broken without an attacker, just due to hardware problem, for example. So it is up to you to have a cold backup for such a critical asset.

May I emphasize this sentence?

  Over time, the database will be composed of both
  correct and corrupted entries, making it difficult
  to reconstruct the damaged records from a backup.

I don't know enough about cryptography to be able to say whether it's possible to break a particular cryptographic protocol by blindly altering the ciphertext, but I do know plenty about human nature and backups. It's _highly_ unlikely that normal people keep more than a handful of backups. My own personal backup retention limit is on the order of 30 days, and that's with careful planning. Silent, on-going data corruption happening to a password database seems like a very reasonable thing to concern oneself with, especially if one's expectation was that the password manager would throw some kind of data integrity error whenever said database was accessed.

How will you do that? It looks tricky to say the least: http://sourceforge.net/p/passwordsafe/discussion/134801/thre...

EDIT: It looks like you can clear out all the comments and other stuff in the db and export to Keepass v1 CSV and you should be able to import from that.

Hey, thanks a ton for the clue!

This isn't true anymore.

Newer versions store a SHA-256 hash of the header inside the encrypted XML.

At least KeePass >= 2.20 and KeePassX 2.0 >= alpha3 support this. I haven't checked other implementations.

If the attacker already has control of the email address, they can reset the account without going to such lengths--just visit the site and request a password reset.

Could you please provide more details on suggested attack?