Problem. In their paper 'On The Security of Password Manager Database Formats', P. Gasti and K. B. Rasmussen have presented attacks on the KDB and KDBX file formats based on unauthenticated header data. For KDB, this issue has allowed silent data removal attacks. For KDBX, the issue has allowed silent data corruption attacks. Both were minor security issues (confidentiality was not compromised).
Status. Header data authentication has been introduced for both KDB and KDBX in KeePass 1.24 and 2.20, in order to prevent the attacks. Also see the release notes KeePass 1.24 and 2.20 Header Authentication. P. Gasti and K. B. Rasmussen published their paper in a responsible disclosure process, and the defenses in KeePass have been implemented before the issues were presented to the public.
It there a similar study done more recently on this exact topic? Would love to know if the problems revealed in this paper have been fixed in 1Password and others
They've definitely been fixed in 1Password. I think they were fixed in the next version after the paper. They've discussed it pretty openly on their blog, but it was shortly after the paper was released and that's been a few years.
I'm new to infosec and I'm having a bit of trouble understanding how PasswordSafe is able to modify the master password without re-encrypting the entire database with the new salt.
The only scenario I see this happening is if, upon the creation of a new master password, PasswordSafe encrypts the header (with the old password). This way, when the user enters their new password, PS uses it to decrypt the header, and then uses the old password (stored in the header) to decrypt the database. This would make it easy for someone with access to the old password and the database to simply decrypt it.
Is this how it works? I can't think of any other way it would be able to not re-encrypt the database with the new password. Plus the lingo/acronyms in the paper are going a bit over my head.
Generally these things work by creating a master key to encrypt the data. The master key is then encrypted with a key derived from the password. To change the password the master key just needs to be reencrypted.
This is correct. For v3, with P' the key derived from stretching the password:
"2.6 B1 and B2 are two 128-bit blocks encrypted with Twofish [TWOFISH] using P' as the key, in ECB mode. These blocks contain the 256 bit random key K that is used to encrypt the actual records. (This has the property that there is no known or guessable information on the plaintext encrypted with the passphrase-derived key that allows an attacker to mount an attack that bypasses the key stretching algorithm.)"
> Google Chrome stores usernames and passwords in an SQLite database file in the user profile directory. This database provides neither secrecy nor integrity.
Chrome has since implemented OS-level security, the SQLite database contains ciphertext instead of plain passwords.
Is this encryption directly related to my Windows password? Can I transfer the "Login Data" database to another PC with the same password? Or is my password only a passphrase for a longer key?
I think it's a huge shame that Chrome has moved away from integrating with the OSX keychain / Keychain Access since v45. Apparently they argued Safari used the keychain in such a way that passwords weren't shared with other apps, so why should Chrome :-/
Of course, the real reason is that Chrome is an OS masquerading as a browser. If you consider the keychain to be an OS level function, Chrome (the OS) provides it.
>Unfortunately, most formats turned out to be broken even against very weak adversaries. For this reason, users should carefully consider whether a particular database format is acceptable for storing data in the cloud, on a USB drive or
on a machine shared with other users.
Finally, our works shows that it is indeed possible to construct a format that provides security, usability and low computation and storage overhead, using standard cryptographic tools.
Problem. In their paper 'On The Security of Password Manager Database Formats', P. Gasti and K. B. Rasmussen have presented attacks on the KDB and KDBX file formats based on unauthenticated header data. For KDB, this issue has allowed silent data removal attacks. For KDBX, the issue has allowed silent data corruption attacks. Both were minor security issues (confidentiality was not compromised).
Status. Header data authentication has been introduced for both KDB and KDBX in KeePass 1.24 and 2.20, in order to prevent the attacks. Also see the release notes KeePass 1.24 and 2.20 Header Authentication. P. Gasti and K. B. Rasmussen published their paper in a responsible disclosure process, and the defenses in KeePass have been implemented before the issues were presented to the public.