search

sirAndros / KeePassWinHello

Quick unlock KeePass 2 database using biometrics with Windows Hello
MIT License
306 stars 21 forks source link

Manually revoke key #10

Closed ghost closed 4 years ago

ghost commented 5 years ago

When the initial validity time range was defined to 'Unlimited' is there a way to revoke the key and requires for the original password again? I thought it might be enough to switch back the time range but it does not seem to have any effect.

shuffle-c commented 5 years ago

Hi,

Thanks for the report. This issue will be fixed in version 2.0, which is going to be delivered soon. We've also added a button for manual revoking all currently stored keys.

By now there is a standard way for the plugin to forget a key. You need to lock your db, request to unlock and choose cancel twice - in WinHello dialog and then in KeePass dialog.

Best wishes, Sasha

rjt commented 5 years ago

Would not be surprised if these keys are readable by MimiKatz.

shuffle-c commented 5 years ago

Hi,

I would :)

According to the description, "It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets."

We do not keep keys in any of these form, they are strongly encrypted by AES and built-in cryptoalgorithm of Windows Hello technology.

Best wishes, Sasha

rjt commented 5 years ago

Heres to hoping the private key never leaves the embedded tpm. MimiKatz would reconstruct the private key from it being sprayed all over the registry and filesystem, then pull plain text human readable domain admin password out of lsass.exe. If not in TPM, MimiKatz will find that key sooner or later if it has not already.

Who really needs the WinHello private key? Since it could read lsass.exe, could also read passwords out of keepass.exe.

shuffle-c commented 5 years ago

Well, theoretically speaking, you could do anything if you run your code with admin privileges - there is no way to get protected against it in principle. But in practice, anyway, you have to overcome a lot of technical obstacles and be lucky to obtain a particular effective key from inside of KeePass process. KeePass and, we believe, our plugin do as much as possible to protect user's data. Still, one has to take into account that all data is vulnerable while a malicious code is running under an elevated token.

sirAndros commented 4 years ago

We've implemented a permanent storage in our new release v3.0.