21

KeePass is an application that keeps all your passwords for you in a database. It is primarily protected by a master password and/or keyfile. If the database is properly encrypted with that password this can be quite secure.

There is a plugin OtpKeyProv that supposedly increases security by adding a second authentication factor. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database.

My question: does this really increase security? I see no way how the OTP mechanism can be used to further encrypt the database. Can't a hacker that gets hold of the database not simply compile a version of KeePass (it is open source) that does not ask for the OTP value?

As far as I can see the plugin only annoys you when you want to access the application, leading to a false sense of extra security.

Or am I overlooking something.

Adi
  • 43,953
  • 16
  • 137
  • 168
Jeff
  • 3,609
  • 4
  • 19
  • 23

4 Answers4

15

No. Security remains the same + extra cognitive overhead.

Presumably the plugin uses OATH HOTP where the KeePass file or master key is re-encypted after each access with the next one-time-password.

However to generate the next password on the device, the plugin would require either a secret stored on the device or the normal password for the KeePass file.

Security from a one-time-password comes from two parties knowing the same key and counter - HOTP(Key,Counter) - while an attacker doesn't know the key. If the attacker has access the device storing the KeePass installation and files, the security re-collapses to the security of the normal password on its own. If the KeePass file is still interoperable with other KeePass programs, then you gain nothing from using a one-time-password in this fashion.

One-time-passwords work well for server authentication because both client and server end-points are considered secure and the attacker needs 'something you own' as well as 'something you know'. If the attacker has your computer, then they now have 'the thing you own'.

LateralFractal
  • 5,173
  • 18
  • 41
  • 4
    "presumably" suggest you didn't check [the source](http://keepass.info/extensions/v2/otpkeyprov/OtpKeyProv-2.4-Source.zip), in contrast to [mdonoughe's answer](https://security.stackexchange.com/a/73802/3272). But I agree with you that OTP makes more sense for _authentication_ but not for _decryption_. – Tobias Kienzler Nov 30 '16 at 09:32
  • @TobiasKienzler Fair enough. I didn't dive into the source for this plugin; I simply assumed that the OAUTH HOTP would be the most logical open standard to implement such an OTP overlay. – LateralFractal Dec 01 '16 at 00:43
  • 1
    The plugin is still mostly pointless though. If the OTP stream is time-based, the keepass file would have to be accessed frequently forever as @mdonoughe warns; or stored as a series of effectively static keys for non-temporal OTP streams. The later amounting to a fancy version of a keyfile; a _"something you own"_ feature that KeePass supports out of the box. One scenario that would prove useful is a non-time-synched OTP dongle is hardened more than the average USB for storing the master secret (seed or keyfile). – LateralFractal Dec 01 '16 at 01:07
  • I couldn't agree more. OTP simply is not suitable for decryption. What _might_ work using a Yubikey would be something à la [using a asymmetric signature as decryption key](https://security.stackexchange.com/q/23252/3272), i.e. using its [Challenge-Response](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html) capabilities (or its OpenPGP or PIV or U2F, I guess)... – Tobias Kienzler Dec 01 '16 at 07:06
11

From reading the source it looks like the secret is stored on the Yubikey and stored encrypted multiple times with different keys inside the otp.xml file. The encryption keys are derived from the next n OTPs (derived from the secret) starting from OTP i..i+m where i is the current counter and m is the look ahead value. When the user enters their OTP values, the plugin creates a key from those values and tries to decrypt one of the encrypted copies of the secret using that key. If successful, the secret is used to derive the next n+m OTPs and generate the m keys used to encrypt the secret for next time before unlocking the database. This means that the protection cannot be bypassed without having some copy of the secret, which is not stored in plain text alongside the database.

Although apparently secure, I don't like this plugin because of the possibility for the counters to go out of sync. Be sure you have a copy of the secret written down somewhere safe.

mdonoughe
  • 276
  • 3
  • 3
3

KeePass has a master-key that is encrypted with your password normally. If that key is encrypted with something generated by the OTP and your password, then both mechanisms would be needed to decrypt the master key that encrypts the data store. That said, I'm not sure how they may have implemented a OTP setup that is secure since normally a OTP is a method of authentication rather than key storage (ie, I don't know how you would have the OTP unlock the key).

It is also suspect that they could effectively prevent replay since the db is controlled by an attacker in most attack scenarios, just not necessarily in the way you expected. They may have some way around this problem, but I can't think of one.

Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
-2

Yes security is improved because there an additional HOTP "password". This would foil keylogger trojans which can grab normal passwords.