Question about database encryption algorithm

Question about database encryption algorithm

Postby malcarada » Wed Apr 25, 2012 5:04 pm

One of the features that I like more of StickyPassword is that unlike with other password managers in StickyPassword the user can change the database encryption algorithm. I had two questions about this:

1- After changing the encryption algorithm I did not notice any kind of database re-encryption, like for example, a small wait,but I can see in settings that the algorithm is the one I specified. I was wondering if when a user changes the encryption algorithm the old database is re-encrypted or a new one is created instead.

2-Is it possible for an attacker to find out what algorithm I am using to encrypt the database if they get hold of the encrypted database?
My personal blog: http://www.wipeyourdata.com
malcarada
New user
 
Posts: 16
Joined: Sat May 28, 2011 8:43 pm
Location: European Union

Re: Question about database encryption algorithm

Postby ondrej.novak » Fri Apr 27, 2012 12:53 pm

Hi,

1) Changing the encryption algorithm creates a new temporary database file (default.tmp) with new encryption used, copies the old database file (default.pws) to a backup file (for the restore from backup operation) and then renames the temporary database file to the default database filename. This process can be easily seen using tools like Process Monitor or similar.
You won't notice any delays as the database file is usually only a few kilobytes in size, so the operation takes like a few milliseconds on a today's average machine.

2) The name of used cryptographic provider is stored in open form, however without the Master Password and algorithm of key generation (which is not known without disassembling the program) it doesn't give much benefit to the attacker.

Best regards,
Ondrej Novak
Sticky Password Team

ImageImageImageImageImage
ondrej.novak
Sticky Password Guru
 
Posts: 975
Joined: Wed Apr 29, 2009 10:39 am
Location: Czech Republic

Re: Question about database encryption algorithm

Postby malcarada » Fri Apr 27, 2012 5:41 pm

I would like to suggest that the algorithm used for data storage is not made visible in future StickyPassword versions if it were to be possible. The knowledge might not provide any huge breakthrough to an attacker but it seems like an extra layer of security.

For example, I was reading Wikipedia webpage about the Gost algorithm, available in StickyPassword, and it says that " In 2011 severe flaws have been discovered in GOST cipher and it has been called "a deeply flawed cipher" by Nicolas Courtois". I am not using it, but if I were and an attacker finds out he would know he stands a chance.

https://en.wikipedia.org/wiki/GOST_(block_cipher)

Thank you for your previous explanation.
My personal blog: http://www.wipeyourdata.com
malcarada
New user
 
Posts: 16
Joined: Sat May 28, 2011 8:43 pm
Location: European Union

Re: Question about database encryption algorithm

Postby ondrej.novak » Mon Apr 30, 2012 3:47 pm

Hi,

thank you for your message.

We suggest to use the default encryption (AES (Rijndael)). Other encryption methods are for technically advanced users who would like to use it for some reasons.

Best regards,
Ondrej Novak
Sticky Password Team

ImageImageImageImageImage
ondrej.novak
Sticky Password Guru
 
Posts: 975
Joined: Wed Apr 29, 2009 10:39 am
Location: Czech Republic


Return to Sticky Password PRO

Who is online

Users browsing this forum: No registered users and 1 guest

cron