Menu

#606 HMAC slightly flawed

open
Rony Shapiro
None
3
2012-09-17
2007-10-12
Svante Seleborg
No

This is not in anyway a secret, but I haven't been able to find any reference to anyone actually reporting this as the bug it is.

The HMAC in V3 files is only calculated on the field values in a record.

A record consists of fields. Each field has a 5 byte header, where the first 4 bytes is the length of the field value, and there's one byte type code.

The HMAC does not take the length and type into account, nor does it hash the padding bytes in unused parts of blocks.

This implies that it's possible to modify the length and type without the HMAC seeing this.

The real-world risk is low, but since PasswordSafe is supposed to represent state-of-the-art cryptography, this is really not acceptable.

It's not best practice. It should be fixed.

Discussion

  • Rony Shapiro

    Rony Shapiro - 2007-10-12

    Logged In: YES
    user_id=370700
    Originator: NO

    Hi,

    Pity your weren't around when the V3 format was being designed & reviewed.

    I agree that the format should be fixed along the lines you suggest, but since this breaks compatibility with previous versions, by definition it becomes a major version update, since PasswordSafe is now set up to be forward & backwards compatible across minor format version changes (e.g., 3.01 & 3.02), but warn against incompatibilities across major version changes (e.g., 3.x & 4.x).

    So it's definitely a flaw, but, as you pointed out, not currently an exploitable one in the real world. The 4.0 format design (as yet not started) will take this into account.

     

  • Svante Seleborg

    Svante Seleborg - 2007-10-16

    Logged In: YES
    user_id=379999
    Originator: YES

    That's ok. Send me a note when V4 is about to be specified and I'll be happy to contribute by reviewing and suggesting. The reason I was digging into the format was because I needed to write a C# reader of password safe databases. This is now done and available at codeproject, http://www.codeproject.com/useritems/AxantumPasswordSafe.asp . It actually turned out quite nice. If you wish to reference it from the password safe site, that's fine with me.

     

  • paul

    paul - 2007-11-14

    Logged In: YES
    user_id=760732
    Originator: NO

    Perhaps the formatV3 document should be updated with this information.

     

Log in to post a comment.