Security

[pedroalbanese]

Greetings!

Your app is excellent! Does it also suffer from such problems? https://keepass.info/help/kb/sec_issues.html Or it's a problem inherent in* the format?

What is the advantage of using V2?

Thanks in advance!

[CodeCarefully]

The issues there are pretty much "if someone has access to your pc and puts a keylogger on it, they can get in" kind of issues. yes, this is still vulnerable to it.

and the V2 format is more flexible.

[pedroalbanese]

Yes, I mean the attacks described. Assuming you have a strong password but the KDB file is in a cloud. Theoretically it is susceptible to these attacks: "For KDB, this issue has allowed silent data removal attacks. For KDBX, this issue has allowed silent data corruption attacks. Both were minor security issues (confidentiality was not compromised).", "attacks on the KDB and KDBX file formats based on unauthenticated header data."

Problem concerning header data authentication.. As MiTMed ciphertext when encrypted/decrypted with a non-AEAD mode. When these attacks occur there is no alert and the encrypted file will be decrypted without warning that it has been altered, and the user will not notice or understand what happened.

[CodeCarefully]

I don't understand your threat model yes, if you leave your file on dropbox, dropbox can corrupt it. you are describing a high-level intentional attack, not some random bit flips. but yes, even bit flips can break the file. this is inherent in the format, but its true of ANY format. if you put a docx on dropbox, they can scramble it as well, and trivially.

if you are being hunted by 3 letter agencies or anyone else that can access your hosting with the express intention of making a file of yours difficult to open, i recommend you not store your passwords on a server you can't trust.

And honestly, this code isn't hardened to the point that I'd feel comfortable recommending it with that extreme a threat model.

so to answer the questions: yes, this code is vulnerable to those kind of attacks. even more so than the official clients, because they include those attacks in their tests and we don't.

[pedroalbanese]

No agencies hehe.. I will use it anyway, it's really good. It allows me to integrate my devices, access and edit KDB files both on my Windows PC and Android phone. I had to make changes because on Windows it always alerts you that the KDB file is in use and may get corrupt.

Thanx!