One of the features that I like more of StickyPassword is that unlike with other password managers in StickyPassword the user can change the database encryption algorithm. I had two questions about this:
1- After changing the encryption algorithm I did not notice any kind of database re-encryption, like for example, a small wait,but I can see in settings that the algorithm is the one I specified. I was wondering if when a user changes the encryption algorithm the old database is re-encrypted or a new one is created instead.
2-Is it possible for an attacker to find out what algorithm I am using to encrypt the database if they get hold of the encrypted database?
Question about database encryption algorithm
4 posts
• Page 1 of 1
Question about database encryption algorithm
by malcarada » Wed Apr 25, 2012 5:04 pm
My personal blog: http://www.wipeyourdata.com
- malcarada
- New user
- Posts: 16
- Joined: Sat May 28, 2011 8:43 pm
- Location: European Union
Re: Question about database encryption algorithm
by ondrej.novak » Fri Apr 27, 2012 12:53 pm
Hi,
1) Changing the encryption algorithm creates a new temporary database file (default.tmp) with new encryption used, copies the old database file (default.pws) to a backup file (for the restore from backup operation) and then renames the temporary database file to the default database filename. This process can be easily seen using tools like Process Monitor or similar.
You won't notice any delays as the database file is usually only a few kilobytes in size, so the operation takes like a few milliseconds on a today's average machine.
2) The name of used cryptographic provider is stored in open form, however without the Master Password and algorithm of key generation (which is not known without disassembling the program) it doesn't give much benefit to the attacker.
Best regards,
1) Changing the encryption algorithm creates a new temporary database file (default.tmp) with new encryption used, copies the old database file (default.pws) to a backup file (for the restore from backup operation) and then renames the temporary database file to the default database filename. This process can be easily seen using tools like Process Monitor or similar.
You won't notice any delays as the database file is usually only a few kilobytes in size, so the operation takes like a few milliseconds on a today's average machine.
2) The name of used cryptographic provider is stored in open form, however without the Master Password and algorithm of key generation (which is not known without disassembling the program) it doesn't give much benefit to the attacker.
Best regards,
Ondrej Novak
Sticky Password Team
We are on Facebook and Twitter too:
Sticky Password Team
We are on Facebook and Twitter too:
- ondrej.novak
- Experienced user
- Posts: 900
- Joined: Wed Apr 29, 2009 10:39 am
- Location: Czech Republic
Re: Question about database encryption algorithm
by malcarada » Fri Apr 27, 2012 5:41 pm
I would like to suggest that the algorithm used for data storage is not made visible in future StickyPassword versions if it were to be possible. The knowledge might not provide any huge breakthrough to an attacker but it seems like an extra layer of security.
For example, I was reading Wikipedia webpage about the Gost algorithm, available in StickyPassword, and it says that " In 2011 severe flaws have been discovered in GOST cipher and it has been called "a deeply flawed cipher" by Nicolas Courtois". I am not using it, but if I were and an attacker finds out he would know he stands a chance.
https://en.wikipedia.org/wiki/GOST_(block_cipher)
Thank you for your previous explanation.
For example, I was reading Wikipedia webpage about the Gost algorithm, available in StickyPassword, and it says that " In 2011 severe flaws have been discovered in GOST cipher and it has been called "a deeply flawed cipher" by Nicolas Courtois". I am not using it, but if I were and an attacker finds out he would know he stands a chance.
https://en.wikipedia.org/wiki/GOST_(block_cipher)
Thank you for your previous explanation.
My personal blog: http://www.wipeyourdata.com
- malcarada
- New user
- Posts: 16
- Joined: Sat May 28, 2011 8:43 pm
- Location: European Union
Re: Question about database encryption algorithm
by ondrej.novak » Mon Apr 30, 2012 3:47 pm
Hi,
thank you for your message.
We suggest to use the default encryption (AES (Rijndael)). Other encryption methods are for technically advanced users who would like to use it for some reasons.
Best regards,
thank you for your message.
We suggest to use the default encryption (AES (Rijndael)). Other encryption methods are for technically advanced users who would like to use it for some reasons.
Best regards,
Ondrej Novak
Sticky Password Team
We are on Facebook and Twitter too:
Sticky Password Team
We are on Facebook and Twitter too:
- ondrej.novak
- Experienced user
- Posts: 900
- Joined: Wed Apr 29, 2009 10:39 am
- Location: Czech Republic
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest