Comments (10)
Just as a small update, I have started looking into KDBX4 and written a bunch of not-yet-functional code on the dev-kdbx4 branch. I still have to update the block decryption code, which is why there are Crypto errors.
KDBX4 definitely needs its own implementation of the DB parsing since the outer binary format has changed a lot. @sts10 this is way too much for a first PR but I'll try my best to get this working.
from keepass-rs.
Small update: I verified by patching some debug prints into the source code of KeepassXC that the keys seem to get transformed correctly also using the Argon2 KDF. Next up is verification of headers using Sha256/HMAC and the implementation of the HmacBlockStream now used for the encrypted data.
from keepass-rs.
Sorry for my delayed response here -- I was traveling.
Latest version of keepass-rs works great for Medic. Version 0.2.5 can successfully open a keepass 4 database! I added a test to make sure.
Thanks for your hard work!
from keepass-rs.
Yes, Argon2 is not currently supported and yes, it sounds like a good addition to this library. PRs are welcome, if you would like to contribute one.
I will be travelling for the next three weeks but can try to drop in here every now and then if you have questions.
Edit: And thanks for / good job on medic, that's a tool that I didn't realize I was missing!
from keepass-rs.
Gotcha. I'm a bit daunted by trying to make the change myself, but I can try!
I'm guessing that the error I'm seeing is from this LOC, so it's not really an "invalid compression suite" but rather an unsupported cipher. Maybe making this error message more descriptive would be a baby-step PR for me.
I'm also guessing that outer_cipher
is the KDF, as opposed inner_ciper
?
Upon some digging, it looks like for KDBX 4, "key derivation function parameters are stored in the header field with ID 11 (KdfParameters)" (source). So might need to write new parsing function(s) for KDBX 4?
from keepass-rs.
Correcting the error message sounds like a good first step.
No, the KDF is not the outer_cipher
. Let me walk you through how the KeePass crypto used to work, hopefully that will clear things out.
In a nutshell, the KeePass crypto has several stages (see also this gist for some details https://gist.github.com/msmuenchen/9318327):
-
Derive a
composite_key
by concatenating password, keyfile, etc. -
Key Derivation: Transform the
composite_key
into atransformed_key
by repeatedly doing an AES/ECB encryption of the key in order to generate a high computational cost and protect against brute-forcing. Finally, hash the repeatedly encrypted key with SHA256 -- Probably, this is what you would have to replace with Argon2. -
The
master_key
is a SHA256 hash of the concatenation of themaster_seed
and thetransformed_key
-
The KeePass payload (several blocks of XML chunks) can now be decrypted using the
outer_cipher
- typically AES256 using CBC mode.. Since the first few bytes of decrypted payload are stored in the KeePass database, you can check here if everything went correctly until this step. -
All blocks from the payload get assembled into an XML document representing the database
-
If a value in the XML (such as passwords) are marked as protected, the values can be decrypted using the
inner_cipher
(typically Salsa20), astream_key
and a fixed initialization vector. The code for the decryption of the XML fields is a bit hidden in the XML parsing code.
from keepass-rs.
Regarding what you will probably have to touch, the compression suite error could also come from this code checking for the compression_flag
header value in addition to the line that you highlighted. According to the KDBX 4 docs that you linked, it looks like the header format changed quite a lot.
The KDBX 4 docs say:
As of KDBX 4, key derivation function parameters are stored in the header field with ID 11 (KdfParameters).
I didn't check this but here is the header parsing code that matches over the header field IDs. I am slightly confused why this code won't encounter an ID of 11 as the docs specify, though.
from keepass-rs.
Hmm, looking at the KDBX 4 docs, there might be a few more changes necessary. I unfortunately have to go right now but I hope that the notes that I left are still useful!
from keepass-rs.
I now managed to open a KDBX4 file and parse it, you can find the code in the dev-kdbx4 branch until I did some more cleanups. If you get a chance, please let me know if this is working for you!
from keepass-rs.
I've now merged into master together with some refactoring of the error handling and published v0.4.0 of the crate.
from keepass-rs.
Related Issues (20)
- Better UUID handling
- Discussion: DatabaseKey design HOT 5
- Define a security policy for the project
- Warnings about conflicting changes raised when merging with keepassxc-cli HOT 1
- FR: Better ergonomics in structs? HOT 3
- ci: migrate to dtolnay/rust-toolchain for setting up rust toolchain
- Add support for YubiKey Challenge-Response
- Add support for Argon2i KDF
- Want be a member HOT 1
- impl Zeroize for DatabaseKey HOT 2
- Make the `Build Doc` PR check required HOT 1
- Document the Minimum Supported Rust Version (MSRV)
- Implement Zeroize for Value::Protected
- keepass-rs panics if providing a defect kdbx file HOT 1
- Database::open() should use generic parameter HOT 3
- Implement Zeroize for TOTP
- update URL for code coverage badge HOT 2
- Incorrect key when opening kdbx4 HOT 1
- save_kdbx4: Chunking by block size in hmac_block_stream corrupts database
- Fix code coverage job HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keepass-rs.