Menu

#721 Hard\Thumb-Drive Serial Number Locking List as 3rd Auth...

KeePass
open
Dominik Reichl
General Feature Requests (745)
5
2012-12-14
2006-06-05
SF User·
No

Hard\Thumb-Drive Serial Number Locking List as 3rd Auth
Method

Add the ability for a list of approved Hard\Thumb-Drive
serial numbers that must be present on the system
before opening the database.

For example the user could have a list of Drive serial
numbers presented to them for a selection of drive
serial numbers that must be present in order to open
the database.

Users would be further encouraged to add at least one
portable drive device like a thumb drive so they could
open the database on other computers and/or add other
computers drives once the database is open.

This feature of using a hard and/or thumb-drive serial
number could be in addition to using a KeyFile or a
substitution for it.

The added security benefit would be that an attacker
would then have to also figure out a victim’s hard
drive serial numbers and spoof them as well on a
different system. This with a KeyFile and Master
Password would add three levels of security onto
Keepass database access.

Discussion

  • SF User·

    SF User· - 2006-06-05
    • assigned_to: nobody --> dreichl
     

  • Bill Rubin

    Bill Rubin - 2006-06-14

    Logged In: YES
    user_id=556887

    It appears to me that there would be no significant security
    benefit of this feature. The problem is that the list
    itself would not be secure. It would probably live in
    KeePass.ini, for example. The attacker could simply change
    the list to anything he wanted.

    Bill Rubin

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2006-06-15

    Logged In: NO

    Make it part of the password key string?

     

  • SF User·

    SF User· - 2006-06-16

    Logged In: YES
    user_id=781477

    I see this as a third option and/or replacement to the
    keyfile .

    So it would not reside in a ini file but rather be part of
    the password string.

     

  • Bill Rubin

    Bill Rubin - 2006-06-16

    Logged In: YES
    user_id=556887

    My last comment understated the problem with this proposal.
    The basic idea of the proposal seems to be for KeePass to
    check that one of the listed drive serial numbers is
    actually present before opening the database. But an
    attacker could easily bypass this check with his own version
    of KeePass, which it would take very little skill to create.

    Bill Rubin

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2006-06-24

    Logged In: NO

    That's a great Idea, it should also load a database file
    automatically upon insertion of a thumb drive containing
    said file.

     

  • Goldsy

    Goldsy - 2006-10-04

    Logged In: YES
    user_id=1529246

    Even if this feature could be securly implemented, what
    happens when the hard drive whose serial number you selected
    as needing to be present to open the DB fails? With a key
    file, backups can be maintained to prevent locking yourself
    out of your DB in the case of a media failure. The majority
    of users would not be able to figure out how to spoof their
    hard drive serial number (assuming they have a clue what it
    is) so that they can get into and modify their DB to use a
    new serial number. Using multiple SNs would limit this
    problem but it wouldn't prevent it.

    If this feature is implemented, thought needs to be giving
    to how to recover from a media failure case.

     

Log in to post a comment.