Vulnerability: Secure Desktop not available

[queesamor]

In order to protect the authentication process when opening a database, I configure all Keepass installations to use the Secure Desktop for this step. Unfortunately, when testing out your plugin Keepass tells me that it is incompatible with the Secure Desktop, and in order to use it we would have to turn this security feature in Keepass off! This would open up vectors of attack specifically guarded against in Keepass by using the Secure Desktop; is there anything you can do to make this compatible?

If not, I am afraid that your plugin cannot be approved for use in our environments, although we would really like this to be possible!

[sbidy]

Hey, thank you for the feedback! I've to review the issue and try to fix it with the KeePass interface capabilities.

[sbidy]

I tried to implement the secure desktop feature ... but without any success. I'll talk to the KeePass developers for a advice.

[queesamor]

Thank you for the update!

On Tue, Jun 12, 2018, 12:31 AM Stephan Traub notifications@github.com wrote:

I tried to implement the secure desktop feature ... but without any success. I'll talk to the KeePass developers for a advice.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sbidy/KeePass-KeyManager/issues/5#issuecomment-396394043, or mute the thread https://github.com/notifications/unsubscribe-auth/AEZw-pu7XS77MLl1U3M9ynKqIwlS4mxLks5t7uHBgaJpZM4R_VMP .

--

-Denver Root

[sbidy]

Currently there is no possibility to implement SecureDesktop for the plugin. I'll reopen the issue if status changed.

From a security perspective the secure desktop doesn't prevent a malware from accessing the memory. SecureDesktop only covers the Keylogger vector. This should be mitigated by the usage of an HSM or the windows cert store.

[queesamor]

What was the advice given by the KeePass devs? Can you share what they said, in case it might be helpful for someone to possibly contribute?

Will you please elaborate on what you mean by "no possibility to implement"? We use other KeePass plugins which have implemented this security feature, so I'm a bit puzzled by what you've said.

Finally, neither HSM modules nor the Windows certificate store provide any mitigation against password theft. Have I completely misunderstood you, or are you really saying that this security vulnerability which KeePass allows to be mitigated and recommends is really not a big deal, because passwords don't matter?

[sbidy]

So some of the available plugins may have implemented this feature. But in the most cases it addresses the attack vector for a password theft. In case of a certificate based (public private key pair) there a no password for decryption and accessing the AES key for the KeePass database. The key will be encrypted by an enveloped key which is encrypted with the/your public key. So if you try to access the KeePass database, the plugin tries to decrypt the enveloped key. What's not supported and also not rise the security level overall is to use the plugin in combination with a "master password".

If you using a smart card like a Safenet E-Token or Yubikey, the CSP (or minidriver) is indirectly called via .Net EnvelopedCms.Decrypt() call. Now the CPS or "Smart Card Software" is responsible for the password "handling" to authorized the usage of the private key. So maybe you can enable in the CSP or smart card client software the "secure desktop". If you using a "plain" windows store cert and the private key is in the "windows key ring" without an access password/pin (like openssl private key without the -des3 flag) - the plugin can decrypt the enveloped key material for accessing the KeePass db without prompting for an password.

In addition if some "bad" guy can capture your smart card password the (remote) attacker must also copy the private key from the card. Normally (Safenet, Yubikey) an export of the private key from a smart card should not be possible. So in this case the attacker must have captured your smart card password and also must stolen your card physically.

Finally - the key manager is not directly responsible for securing the password for this attack vector. But it is correct that the key (exactly the KeePass database ASE key) is stored in the memory and can be captured for example by an dump attack. But this is not mitigated by an secure desktop provided password form. However due to the nature of how memory is managed in windows processes are free to access and edit the memory of any other process regardless of what desktops they're on. - taken form here

Please challenge me and fork the project and may implement the function. 😉 But please don't troll or hate around here. I hope my explanation is meaningful and understandable. Maybe I'll create a chart for that secrets handling.

[queesamor]

I'm not trying to be hateful, only to be clear.

If my team decides to spend the time to look at implementing this ourselves, would you be open to receiving and merging a pull request from us (assuming we produce something of value)?

[sbidy]

I'm not trying to be hateful, only to be clear.

If my team decides to spend the time to look at implementing this ourselves, would you be open to receiving and merging a pull request from us (assuming we produce something of value)?

Sure, if you provide a pull for the plugin and it don't affect any other feature I'll merge it for a future release.