Keepass Security
Dagny Westall
KeePass is a free open source password manager, which helps you to manageyour passwords in a secure way. You can store all your passwords in onedatabase, which is locked with a master key. So you only have to remember onesingle master key to unlock the whole database. Database files are encryptedusing the best and most secure encryption algorithms currently known(AES-256, ChaCha20 and Twofish).For more information, see the features page.
Is it really free?
Yes, KeePass is really free, and more than that: it is open source (OSI certified).You can have a look at its full source code and check whether the securityfeatures are implemented correctly.
As a cryptography and computer security expert, I have neverunderstood the current fuss about the open source software movement. In thecryptography world, we consider open source necessary for good security; we havefor decades. Public security is always more secure than proprietary security.It's true for cryptographic algorithms, security protocols, and security sourcecode. For us, open source isn't just a business model; it's smart engineeringpractice.
Bruce Schneier, Crypto-Gram 1999-09-15.
These well-known and thoroughly analyzed algorithms areconsidered to be very secure.AES (Rijndael) became effective as a U.S. federal government standardand is approved by the National Security Agency (NSA)for top secret information.Twofish was one of the other four AES finalists.ChaCha20 is the successor of the Salsa20 algorithm (which is included in theeSTREAM portfolio).
SHA-256 is a cryptographic hash function that is considered to bevery secure. It has been standardized inNIST FIPS 180-4.The attack against SHA-1 discovered in 2005 does not affectthe security of SHA-256.
In order to generate the key for the encryption algorithm,K is transformed using a key derivation function (witha random salt). This prevents precomputation of keys and makes dictionaryand guessing attacks harder. For details, see the section'Protection against Dictionary Attacks'.
Such attacks cannot be prevented, but they can be made harder.For this, the key K derived from the user's master key(see above) is transformed using akey derivation function with a random salt.This prevents a precomputation of keys and adds a work factorthat the user can make as large as desiredto increase the computational effort of a dictionary or guessing attack.
By clicking the '1 Second Delay' button in the database settingsdialog, KeePass computes the number of iterations that results in a1 second delay when loading/saving a database.Furthermore, KeePass 2.x has a button 'Test' that performs a keytransformation with the specified parameters (which can be cancelled)and reports the required time.
The key transformation may require more or less time on otherdevices. If you are using KeePass or a port of it on other devices,make sure that all devices are fast enough (and have sufficient memory)to load the database with your parameters within an acceptable time.
In the database settings dialog, you can change the number ofiterations. The more iterations, the harder are dictionary and guessingattacks, but also database loading/saving takes more time (linearly).
The official specification of the Argon2 algorithm defines threevariants: Argon2d, Argon2id and Argon2i.Argon2i is the least suitable variant in our case (KeePass database file);therefore, KeePass only offers Argon2d and Argon2id.
Argon2d provides the best resistance against GPU/ASIC attacks.The resistance of Argon2id against GPU/ASIC attacks is somewhat weaker,but Argon2id additionally makes certain side-channel attacks slightly harder.
Side-channel attacks try to gain information from a system byobserving its behavior (e.g. the duration and the power consumption ofcertain operations). On servers, side-channel attacks are a real threat.On client devices (PCs), side-channel attacks are more difficult (morenoise, etc.); there are ideas how some might work in theory, but we arenot aware of any real attack in practice.For example, the attack described in the article'The Spy in the Sandbox / Side-Channel Attacks in Web Browsers'was interesting (JavaScript code was able to detect certain user interactions),but not a real threat (no extraction of sensitive data, as mentionedexplicitly in the article). This may or may not change in the future.Note that this has nothing to do with cloud storage; KeePass encrypts/decryptsa database file on a client device, and thus it is irrelevant where thedatabase file is stored (for side-channel attacks).Furthermore, there are side-channel attacks that neither Argon2d nor Argon2id(nor Argon2i, nor any other key derivation function) protects against (e.g.Spectre/Meltdown side-channel attacks, which allowspyware to read all memory).
In the case of KeePass, we currently recommend Argon2d insteadof Argon2id, because we believe that a better protection against areally existing threat (password cracking using GPUs/ASICs is stateof the art) is more important than a protection against certainside-channel attacks that may or may not become a problem on clientdevices in the future.If you worry about side-channel attacks (and are willing to sacrificesome GPU/ASIC resistance) or if you are developing a software whereside-channel attacks could be a problem (e.g. a server service thatoperates with KeePass database files), use Argon2id.
Side note: the IRTF CFRG Argon2 Internet standard recommendsArgon2id by default. For server applications, Argon2id is in generalindeed more suitable than Argon2d, but our situation (client device)is different, as mentioned above.
The number of iterations scales linearly with the required time.By increasing the memory parameter, GPU/ASIC attacks becomeharder (and the required time increases).The parallelism parameter specifies how many threads should be used.
When clicking the '1 Second Delay' button, KeePass uses a differentstrategy for determining the parameters (relatively low values for thememory and parallelism parameters, relatively high number of iterations),because KeePass does not know the RAM and processor details of your otherdevices (the default values should be compatible with most devices).If you know these details, it is recommended to follow theprocedure above instead.
Argon2 on iOS. If you are using a KeePass-compatible appon iOS, please note the following limitation of iOS.If the app uses a lot of RAM (e.g. due to using Argon2 with alarge memory parameter), then AutoFill may not work.In this case, we recommend to use a relatively low value for theArgon2 memory parameter (64 MB or less, depending on the app and thedatabase size) and a relatively high number of iterations.
KeePass first creates an entropy pool using various entropy sources(including random numbers generated by the system cryptographic provider,current date/time and uptime, cursor position, operating system version,processor count, environment variables, process and memory statistics,current culture, a new random GUID, etc.).
The random bits for the high-level generation methods are generatedusing a cryptographically secure pseudo-random number generator(based on SHA-256/SHA-512 and ChaCha20) that is initialized using the entropy pool.
While KeePass is running, sensitive data is stored encryptedlyin the process memory.This means that even if you would dump the KeePass process memory to disk,you could not find any sensitive data.For performance reasons, the process memory protection only appliesto sensitive data; sensitive data here includes for instance the master keyand entry passwords, but not user names, notes and file attachments.Note that this has nothing to do with theencryption of database files;in database files, all data (including user names, etc.) is encrypted.
KeePass uses the Windows DPAPI for encrypting sensitive data in memory(via CryptProtectMemory /ProtectedMemory).With DPAPI, the key for the memory encryption is stored in asecure, non-swappable memory area managed by Windows.DPAPI is available on Windows 2000 and higher.KeePass 2.x always uses DPAPI if it is available; in KeePass 1.x, it can bedisabled (in the advanced options; DPAPI usage is enabled by default).If DPAPI is unavailable or disabled, KeePass falls back to encrypting theprocess memory using ChaCha20 with a random key; note that this is less securethan DPAPI, because the key is also stored in swappable process memory.On Unix-like systems, KeePass 2.x uses ChaCha20, because Mono does not provideany effective memory protection method.
For some operations, KeePass must make sensitive data availableunencryptedly in the process memory. For example, in order to show a passwordin the standard list view control provided by Windows, KeePass must supplythe cell content (the password) as unencrypted string(unless hiding using asterisks is enabled).Operations that result in unencrypted data in the process memory include,but are not limited to: displaying data (not asterisks) in standard controls,transferring data to/from other applications (via the clipboard, drag&drop,StdIn/StdOut, ...),replacing placeholders (e.g. during auto-type),searching data (e.g. the commands in the 'Find' menu that involve sensitive data),importing/exporting files (except KDBX) and loading/saving unencrypted files.Windows and .NET may make copies of the data (in the process memory)that cannot be erased by KeePass.
This provides maximum security: unlocking theworkspace is as hard as opening the database file the normal way. Also, it preventsdata loss (the computer can crash while KeePass is locked, without doing any damageto the database).
When trying to open an attachment that the internal viewer/editor cannot handle(e.g. a PDF file), KeePass extracts the attachment to a (EFS-encrypted)temporary file and opens it using the default application associated with this file type.After finishing viewing/editing, the user can choose between importingor discarding any changes made to the temporary file.In any case, KeePass afterwards securely deletes the temporary file(including overwriting it).
c80f0f1006