[REQUEST] KeePass Steganography (Hide files into files)

  • Icarus

    Icarus - 2013-03-15


    I would like to request a feature to save/load KDBX files from other filetypes directly with KeePass.
    Like this open source tools:


    I would be also happy if anyone cleverer than me write a plug-in with this function.
    Thanks in advance.

  • Paul

    Paul - 2013-03-15

    This adds no value nor protection to the database. A strong password is all you require.

    cheers, Paul

  • Icarus

    Icarus - 2013-03-17

    It is supposed to hide a database, protect to be found by others.

    • Horst

      Horst - 2014-05-05

      Thats called "Security by Obscurity" and its completely useless.

  • Icarus

    Icarus - 2014-05-04

    And whats about Honey Encryption?

  • wellread1

    wellread1 - 2014-05-05

    Sounds like a job for Ari Juels and Thomas Ristenpart.

  • Paul

    Paul - 2014-05-05

    What's the difference between false information and no information? Your master key still protects the database and adding additional layers provides no additional protection for a properly designed and implemented encryption algorithm.

    cheers, Paul

    • Babar

      Babar - 2014-07-16

      Hi Paul,
      I disagree with you and would like to explain:

      -first not knowing if someone has a password database, makes it harder to find it.

      Here is a use case: someone has its database on a usb stick if he looses the usb stick anyone finding the key will see that he has a encrypted password database and then if the person who found the stick is ill-intentioned he could try to break in. On the other hand if there are only photos on the stick it is very un-likely that anyone will try to find a hidden database in the photos

      Please explain me how this makes it not safer or useless?

      -secondly there is NO bug free software, and no one can tell me that keepass has absolutely no breach.
      -thirdly it is absolutely certain that computing power will keep increase and nothing can tell me when the power or the technology (such as cloud computing, using clusters,...) will enable to easily decrypt the database, whatever password you use (strong or weak ones) Maybe it even already happened. until 1996 France would forbid to encrypt data with key larger than 128 bits ... it was only so that it could be decrypted if needed. What about now?
      -fourthly no one can certify that a brilliant mathematician will not find a new way/algorithm to break the cipher much faster that what is possible today: this has already happened many time for quite a few of them and could happen again

      So now lets imagine that a hacker breaks in on someone's computer. He sees a kdx file , cool it is a password database, and he downloads it (if it was hidden among the 30 000+ photo of the the guy collection it would have been safer, because
      - the hacker most likely would not have downloaded them all
      - the time to download them all MIGHT be enough to spot the attack )
      3 months later computers, accessible cloud computing, or new algorithm makes it possible to unencrypt the database in 5 minutes... oops the poor hacked guy's bank online access password is now available world wide .....

      now imagine the guy had hidden the database in the images. Not 1 image but 10 different images. I mean he encrypts the database, cuts it in 10 smaller parts and hide them stenographically in different images.
      the hacker happens to guess it and downloads all of the images.
      when he can break the cypher in 5 minutes he still needs to scan the 30 000 images to detects those that potentially hide data, and if it is well done it may take quite sometime.
      Then once he found the 10 images he needs to puts them in the right order before trying to decrypt, other wise he will only get gibberish stuff, and this makes 10! different orderings which means
      10! * 5 minutes = 34 years

      especially knowing that ordering images can be very easy for anyone who took them (the order makes sense according to your memories,...) but much less for those that did not take them. This act like a kind of easy to remember password but very strong password

      Please explain me how this makes it not safer or useless?

      And here I did not even talk about "plausible deniability" as TrueCrypt use case,... or just pointed out that the vast majority of people do not use strong password and anything that can help their lack of cautiousness is a good thing

      Thank you

  • divB

    divB - 2014-05-09

    Steganography is NOT the same as "Security ob Obscurity" and is NOT completely useless under all conditions (although it might hold true for most cases).

    Just a trivial example. You are forced to give away your USB key (also containing KP file) and the entity forcing you to do wants to make use of as much data as possible. If he doesn't even find the KP file you are fine. If he finds it the strongest PW does not help if he has the power to force you to give it out.

    In this sense I often thought about "plausible deniability" as TrueCrypt implements. That would be so great! However, contrary to a file system, I found noplausible and good way how this could be implemented in KeePass.

  • T. Bug Reporter

    T. Bug Reporter - 2014-07-16

    People interested in this thread should probably read this:
    Obscurity is a Valid Security Layer

    Hiding one's secrets (e.g. by using KeePass) does nothing (and usually less than nothing) to hide the fact that one has secrets to hide. Both are valid goals, and while KeePass is good at achieving one of these, it could be argued that the other is not KeePass's job. OTOH, it could also be argued that since a significant number of KeePass users need a system that is good at both of these jobs, KeePass should be expanded to include tools to perform both of these jobs - or at least constructed in such a way that does not cause it to perform one job at the expense of the other. (For example, I'm not thrilled that KeePass remembers where my key files are - but I deal with that by using a portable installation of KeePass, so that no one but myself has access to that information.)


Log in to post a comment.