keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.44k stars 1.48k forks source link

Support Windows Secure Desktop when entering master password #3460

Open ThatDeaf-ITGuy opened 5 years ago

ThatDeaf-ITGuy commented 5 years ago

Summary

KeePass 2.x has a feature whereby the application takes the user to a "secure desktop" space to enter the master password. Per their documentation, this theoretically makes it harder (but not impossible) for keyloggers to log a user's master password. Like KeePass 2.x, this should probably be an "opt-in" feature.

This StackExchange post seems to do a good job in explaining how the mechanism works.

Desired Behavior

Upon launching KeePassXC with the feature enabled, the application should take the user to a "secure desktop" session. Appearance wise, this would look a lot like a regular UAC prompt, but with the password database login window instead of the usual UAC window. Here's what it looks like in KeePass 2.x.

keepassSD

Possible Solution

No idea what work might be involved in implementing this, sorry 😕

Context

The main reason I'm requesting this is to regain feature parity with the original KeePass application. Secondarily, I think this will make the application slightly more secure against keyloggers.

droidmonkey commented 5 years ago

Based on the linked article you provided KeePass is really just operating a security theater with their "secure desktop". I very highly doubt this would protect you from key loggers. There is no capability in Windows to provide a proper secure desktop outside of system level processes. In fact, we protect our memory such that attacks on the running KeePassXC process is impossible without administrative permissions.

TLDR; we are not going to implement security theater. If your computer has a key logger installed its game over no matter what you try to do.

Ajedi32 commented 5 years ago

I don't think this is just security theater. It may not protect against keyloggers, but it does provide some protection against intentional or accidental phishing by:

  1. Greying out the entire screen in a way which can't be emulated by (for example) a phishing website
  2. Preventing other applications (like chat applications) from (unintentionally) stealing focus and capturing the user's password as they enter it

Probably not a huge deal, but I don't think it's entirely useless either.

OLLI-S commented 4 years ago

I also support and request this feature. As far as I know the secure environment is feature provided by Windows, so Windows makes sure that the environment is secure (this is not a feature of the application, that calls the secure mode).

@droidmonkey can you please re-open the issue, so we can discuss about it. And maybe someone is donating to it. Thank you!

OLLI-S commented 4 years ago

I searched for "windows secure desktop and found this article (but did not read it): https://security.stackexchange.com/questions/3759/how-does-the-windows-secure-desktop-mode-work

Maybe this gives you more information

droidmonkey commented 4 years ago

I've read all of that. You basically request windows to create a new desktop that then owns the window you want to secure. That desktop is owned and started by the SYSTEM user. However, that still does not protect you from a keylogger while using your database after you log into it. Any keylogger that has root access will also bypass protection provided by this alternative desktop. If someone else implements it I'd merge into the baseline.

OLLI-S commented 4 years ago

Thank you, @droidmonkey for re-opening it.

I believe what you say (you are a developer, I develop only as a hobby and in Lazarus, a pascal IDE). And I am far away from being a good developer, so you are the expert!

At the KeePass website I read:

Benefit. Most currently available keyloggers only work on the user's primary desktop and do not capture keypresses on the secure desktop. So, the secure desktop protects the master key against most keyloggers.

If this is true (that this feature can prevent some keyloggers) then this feature increases the security. Because some (not all) keyloggers are not working on the secure desktop.

droidmonkey commented 4 years ago

https://youtu.be/d__lYpUwIRE

OLLI-S commented 4 years ago

Thank you, @droidmonkey for the video. For me it is really hard to follow the video (first speaker speaks only Spanish, and at the second speaker I did not get all content).

But I learned that they created a keylogger process on every desktop and if KeePass is creating a secure desktop, then the keylogger is already there and listening.

I also saw (and I hope I understood this correctly) that 1Password also allows to unlock on the secure desktop and that it alerts the user if there is any other process (other than 1Password.exe) running on the secure desktop. And users can allow or deny the process:

image

Users get an alert that there is an other app running in the secure desktop and they know that something might be wrong with the system. So such a warning would make the secure desktop much safer.

My suggestion is that you also implement the secure desktop feature in combination with such a warning, because:

So this feature increases the security in comparison to a normal desktop. I know that this is not 100% secure, but it is more secure than the normal desktop!

By the way: after 51:38 in the video the speaker talks something about a "bypass" and "wait some seconds" but I don't get everything to understand this (it seems that the 1Password protection can be bypassed by waiting a view seconds and then starting the keylogger). But I think the text I wrote above (that it is more secure) is still valid.

droidmonkey commented 4 years ago

Sorry I did not know it was in Spanish! I also found a pdf file from black hat that I'll post later.

droidmonkey commented 4 years ago

Here is the PDF I found earlier: https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Bypassing-the-Secure-Desktop-Protections-Slides.pdf

phoerious commented 4 years ago

That one's Google-translated, isn't it? :see_no_evil:

OLLI-S commented 4 years ago

Thank you, @droidmonkey

skis4hire2 commented 4 years ago

Here is the PDF I found earlier: https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Bypassing-the-Secure-Desktop-Protections-Slides.pdf

That blackhat presentation lays out the problem nicely and also highlights the solution mentioned by @OLLI-S. (also video in english here: https://youtu.be/pEHrwR7WyyA )

So long as Keepass checks that it is the only running process in the secure desktop, the demonstrated vulnerability is mitigated.

The original implementation of the secure desktop entry is in ProtectedDialog.cs a mirror of which is at https://github.com/dlech/KeePass2.x/blob/VS2019/KeePass/UI/ProtectedDialog.cs

burn2k commented 4 years ago

Besides all the security points, there is one huge advantage with a secure desktop while entering your password. No other programm pops up in the middle of typing and steals your typingfocus. I experience this all the time with KeepassXC and it is wo annoying. I start some programms, one of the programms is KeepassXC. KeepassXC is ready and I start to enter my password. Then, while I'm typing, firefox or some other program pops in front and I type the last part of the password in the new opened programm. This can't happen with an exclusive (secure) desktop.

OLLI-S commented 4 years ago

This also happens to me (at start-up of my PC I start many apps and some parts of the master-password I type in other applications). So @burn2k is totally right, the Secure Desktop would solve this problem...

phoerious commented 4 years ago

I don't understand this use case. Why would you unlock your database before you need it? Unlocking my database is never the first thing I do after booting the PC, so I've never seen anything pop up in front of KeePassXC.

burn2k commented 4 years ago

It can also happen, if your computer is already completely booted. For example, if you start Firefox and KeepassXC at the same time, normally KeepassXC is faster and I start typing my masterpassword. If I'm not fast enough or if I don't wait for Firefox to start first, then I end up typing the password in Firefox. Hope this example helps you to get a better understanding of this use case.

OLLI-S commented 4 years ago

I have several apps that automatically start with Windows. For example SUMo, MailWasher, KeePassXC, Microsoft PowerToys and others. When I focus KeePassXC to enter my master password, it happens that while typing an other app gets the focus and so I enter parts of the password in the other app. This happens very often at my office PC that currently has a slow VPN connection (Home-Office).

Chaython commented 4 years ago

Still no update on this? The only reason I still use keepass is because the extra security features over xc. However minimal the point in a password manager is extra security. Please implement secure desktop. Attached is AceSecurity.cs, aceui.cs and securetextboxex.cs from the keepass source seems to be secure desktop stuff, I'm not smart, but I am pushy :p

droidmonkey commented 4 years ago

So you are OK with any userspace app being able to read the entire memory contents of KeePass, but not OK with KeePassXC not having a marginally more secure "secure desktop" entry for the master password.

Chaython commented 4 years ago

So you are OK with any userspace app being able to read the entire memory contents of KeePass, but not with a marginally more secure "secure desktop" entry for the master password.

It's suppose to be encrypted in ram, unless you view the passwords. It's suppose to be encrypted in clipboard too and supposedly modern browsers/sites encrypt password field entries as well as they hide the passwords. Modern Antivirus also run web browsers in an isolated environment etc. Why wouldn't you isolate your password manager's master key?

droidmonkey commented 4 years ago

You have a lot to learn grasshopper, nothing you wrote is true

Chaython commented 4 years ago

Well according to keepass's faq it stays encrypted unless revealed. Kaspersky safe money says it runs your web browser in an isolated enviroment. Sys is much more secure than local user.

phoerious commented 4 years ago

I suggest you try a memory inspector on KeePass. Everything there is readable by any process of the same user without any special privileges, including the master password. KeePassXC is in fact more secure in the regard. The clipboard is never encrypted, as that would defeat its whole purpose.

Chaython commented 4 years ago

Please suggest a windows executable for inspecting memory. HeapMemView doesn't see keepass RamMap does, but I don't beleive there's a way to inspect the data with it[?] As for clipboard encryption, there's methods to do so. But pasting would require decryption.

droidmonkey commented 4 years ago

Process hacker

Chaython commented 4 years ago

Well I dumped keepass then viewed in a hex editor, and there's nothing useful. Do you have some post/article about viewing keepass passwords in memory? As stated in keepass faq I can view email/username/site/autotype/notes/creation date/.... but not any passwords.

droidmonkey commented 4 years ago

OK we are way off topic but this is important. To be clear, merely unlocking the database is not enough to expose passwords in memory thanks to KeePass's "in-memory" encryption. However, the moment you interact with a password (Copy, Auto-Type, reveal it, edit it, etc) it will stick in memory and stay in memory even after database lock. Here is how you can see this:

image

image

image

image

These screenshots in Process Hacker were taken AFTER the database was locked.

Chaython commented 4 years ago

Keepass says it overwrites all mem on exit, it too is encrypted with DPAPI. "Furthermore, KeePass erases all security-critical memory (if possible) when it is not needed anymore, i.e. it overwrites these memory areas before releasing them." Sounds like XC is easily exploitable and fans here are deflecting.

droidmonkey commented 4 years ago

What are you talking about, those screenshots from process hacker are for KeePass2, not KeePassXC. It is impossible to read the memory of KeePassXC without administrative access, try it for yourself.

R4ygen commented 4 years ago

If we can return to the topic and stop discussing who is the best password manager...

...I too would like to see this feature. Mainly to be sure to always have the focus on XC when inserting the master password while multiple apps are open, specially during boot, as has already been pointed out. And yes, it's known that Secure Desktop is not the ultimate security feature and has its limits. But it's still a big help aganist "dumb" and basic malwares / script kiddies, especially if implemented with the 1Password method.

Looking forward to see this implemented! Take this as a bump with a bit of recap of the thread

YousefOnWeb commented 3 years ago

One more very handy advantage to Secure Desktop, regardless of how much we like or dislike the naming or the way Microsoft markets it, is the inability for software to 'simply' capture or record my screen while entering the master password; instead, it returns a black screen (you can try it using some software like OBS). So, it would be very useful in two possible cases:

If some feature makes a little improvement to security, it's best to implement it, especially for such a sensitive database. Everyone here knows there is no ultimate secure solution, but there is an ability to reduce the surface of vulnerability even with a small impact (hardening). And it surely will improve security, so why not?

My BIG respect for your team's efforts.

Xeevis commented 3 years ago

I think it's kind of void to argue that it may be at some point using specially crafted code defeated and therefore there is no reason to do it, but what can't be exploited? Microsoft gave us a more secure environment for inputs, it's their prerogative to make sure it's as secure as possible and it may improve with each update. From what I see it has several benefits and no drawbacks whatsoever (even compatibility can be detected).

GvY85 commented 3 years ago

I also would very much like to see this implemented. Especially the '1Password' method so you can detect any other processes running. IMO that would increase security at least a bit and also would be convenient.

Thanks for the effort and for the great program btw!

tvcat commented 3 years ago

I support the implementation of secure desktop.

It is clearly provide a better security as explained above.

And KeePass actually has an option to turn on DACL user has to turn it on by editing the config file. It is done so for compatibility with accessibility tools and others.

I just know about this alternative and the first try seeing it without secure desktop is a bit worrying for me.

Uj947nXmRqV2nRaWshKtHzTvckUUpD commented 3 years ago

Maybe this should be implemented to give people peace of mind, especially for newcomers from keepass. I myself I am in the process of migrating and that's why I am here reading about this. For me secure desktop is the only feature that is missing from having a perfect password manager at this point.

gabriele-v commented 1 year ago

Hello @droidmonkey, any plan to support this? From numbers of thumbs up above I think we can group some donations for this specific topic.

Thanks

droidmonkey commented 1 year ago

I'll look into it

Graphite23 commented 1 year ago

Thank you for looking into this. After Keepass2's recent debacle, many have been flocking to KeepassXC, and find that Secure Desktop is the only missing security feature. Without rehashing the above thread, I just want to add that I was trying to replicate the attack scenario in question for Keepass2 (silently export the entire database in plaintext when a user opens, without prompting for the key again), but with KeepassXC. KeepassXC doesn't have this trigger feature, nor a silent export feature. But keepassxc-cli does have something similar.

First, using Powershell, I was able to get the master password from KeepassXC just by stealing focus so the user types the password into the terminal running keepassxc-cli. It was pretty noticeable if the master password was long and the user is paying attention. So then I wrote up a simple Powershell keylogger which sent the password to keepassxc-cli. I can run it in the background as the regular user, and is generally undetected by the user. Since it executes at the same time as the user's normal unlock process, it can get the entire plaintext database even if a yubikey and/or keyfile is being used. Since this is a script-kiddie approach, AV doesn't stop it. Secure Desktop would prevent both of these unsophisticated script-kiddie attacks!

Yes, some keyloggers and memory injection techniques can still be successful even with secure desktop... but those things are much more heavy handed and expose the attacker to the other security controls running on Windows such as AV and EDR. Secure Desktop is a good addition to any password manager, even if only as protection from low-hanging fruit.

Xeevis commented 1 year ago

Dominik's remarks regarding secure environment leave me utterly confused, if he expects you to run perfectly secure environment and that it's not his callling to make any effort in protecting your passwords, why even bother with secure desktop? Why develop encrypted formats, why mask passwords, use lock files, protect memory etc.

If your environment is perfectly secure, you might as well just put all your passwords in plain CSV. He essentially put his own software as glorified table reader, for everything else there is AV, Windows Hello and BitLocker ... No wonder people are bailing out. I do hope KeePassXC will pile up as many security features as possible and Secure desktop would certainly make a good addition even if only to stop script-kiddies, thought I imagine it's better than that.