I don't have any background in security so i apolgize in advance if this is completely idiotic.
One of the security features of keepass is the user key is run through many round of AES encryption meaning that it may take 1+ seconds to attempt to open the database once. However since the actual data is only encrypted once; couldn't an attecker simply brute force the AES key of the encrypted data and skip key generation alltogether?
Although this would still take longer than attempting to brute force most passwords as it is very unlikley a user would have a password longer than 32 characters and you would have to try all 256 byte values instead of a limited subset of them. I get that this is kinda a moot point because of how long it would take to actually brute force an AES key but it kinda makes anything more than a small number of key rounds kinda pointless.
Wouldn't it be more effective to run the data through multible encryption rounds?
Last edit: Patrick Sattelberger 2019-07-14
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes that would be possible, however the 256 bit key space is so large is would take an unfeasably long time to test even 10% of that space - something like 3 x 10^49 years according to Wikipedia.
It's much easier to test for passwords up to 20 characters, but you then need to add the rounds work factor, so even that process is akin to testing the 256 bit keys directly.
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Wait a minute. I think you're confused.
KeePass generates a final key to encrypt the database using either AES-CBC or ChaCha20.
This key is generated through hashing and KDFing.
KeePass supports AES iteration based KDF which eventually after the number of rounds chosen and with use of a salt, will output the final key.
I'm not sure how do you plan to skip this phase?
Then you ask about simply brute-forcing the cipher itself without caring about the key.
AES-256 uses 256 bit keys obviously.
256 bit has exactly this many possible options:
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936
So essentially the key encryption rounds are simply to make up for the fact that a password will always be weaker than an AES key?
I guess my point was that at some point adding extra time to process key rounds does absolutely nothing to increase security. Although that might require a rediculus amoount of time. And anyway it's kinda a moot point because if you got to even a fraction of the security of AES-256 it would be essentially impossible to brute force anyway.
Sorry if I implied that I though this was an actual security flaw. Obviously actually brute forcing an AES key is kinda ridiculous but I guess it was a pretty stubid question in the first place.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Exactly.
Human passwords are weak. we wouldn't need any additional compute cost if we could just remember 32 random character passwords for every site or service we use.
which is exactly the main point of password managers to begin with.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I didn't answer your actual question...
Cryptographers figured out what you're thinking and much more.
Approved encryption algorithms were tested against multiple different attacks and were designed with brute-forcing(and other concerns) in mind.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I don't have any background in security so i apolgize in advance if this is completely idiotic.
One of the security features of keepass is the user key is run through many round of AES encryption meaning that it may take 1+ seconds to attempt to open the database once. However since the actual data is only encrypted once; couldn't an attecker simply brute force the AES key of the encrypted data and skip key generation alltogether?
Although this would still take longer than attempting to brute force most passwords as it is very unlikley a user would have a password longer than 32 characters and you would have to try all 256 byte values instead of a limited subset of them. I get that this is kinda a moot point because of how long it would take to actually brute force an AES key but it kinda makes anything more than a small number of key rounds kinda pointless.
Wouldn't it be more effective to run the data through multible encryption rounds?
Last edit: Patrick Sattelberger 2019-07-14
Yes that would be possible, however the 256 bit key space is so large is would take an unfeasably long time to test even 10% of that space - something like 3 x 10^49 years according to Wikipedia.
It's much easier to test for passwords up to 20 characters, but you then need to add the rounds work factor, so even that process is akin to testing the 256 bit keys directly.
cheers, Paul
Wait a minute. I think you're confused.
KeePass generates a final key to encrypt the database using either AES-CBC or ChaCha20.
This key is generated through hashing and KDFing.
KeePass supports AES iteration based KDF which eventually after the number of rounds chosen and with use of a salt, will output the final key.
I'm not sure how do you plan to skip this phase?
Then you ask about simply brute-forcing the cipher itself without caring about the key.
AES-256 uses 256 bit keys obviously.
256 bit has exactly this many possible options:
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936
now.... maybe this would help to understand why it's impossible:
https://sourceforge.net/p/keepass/discussion/329220/thread/fb152e0d18/#dbd2
even 128 bit keys are considered impossible to crack at a reasonable time, probably your browser is using a 128 bit key right now.
Last edit: John Jones 2019-07-14
So essentially the key encryption rounds are simply to make up for the fact that a password will always be weaker than an AES key?
I guess my point was that at some point adding extra time to process key rounds does absolutely nothing to increase security. Although that might require a rediculus amoount of time. And anyway it's kinda a moot point because if you got to even a fraction of the security of AES-256 it would be essentially impossible to brute force anyway.
Sorry if I implied that I though this was an actual security flaw. Obviously actually brute forcing an AES key is kinda ridiculous but I guess it was a pretty stubid question in the first place.
Exactly.
Human passwords are weak. we wouldn't need any additional compute cost if we could just remember 32 random character passwords for every site or service we use.
which is exactly the main point of password managers to begin with.
As you didn't know the answer it's not a stupid question, so keep asking. :)
cheers, Paul
I didn't answer your actual question...
Cryptographers figured out what you're thinking and much more.
Approved encryption algorithms were tested against multiple different attacks and were designed with brute-forcing(and other concerns) in mind.