protection against plausible deniability
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
#841 protection against plausible deniability
hello,
just want to ask this question and at the same time,
can also consider it as feature request,
what if an intruder has your database file and he
forces you to open it using your password, it could
expose potentially important and secret passwords
inside the database file, is there some protection in
keepass against this kind of threat,
or just like in truecrypt wherein you can supply
two (2) passwords, one is fake and the other is real.
each password can show a different entry inside each
database file.
thank you
megajove@gmail.com
Logged In: YES
user_id=1174665
KeePass is a simple personal database. If you need this sort
of security you will probably have to pay someone lots of
money to write it.
cheers, Paul
Logged In: NO
keepass have already solve this with keyfile implementation, even if the user able to get u to type in the password, it will be useless without the keyfile. Would u declare the keyfile exist or the database is corrupted ?
Since the request is still 'open':
> "or just like in truecrypt wherein you can supply two (2) passwords, one is fake and the other is real."
the initial feature requestor already named the best solution, not only for password-databases, but for bookmarks, browser-history/cache/cookies and so on: TrueCrypt does this in a cross-platform manner with all required features implemented and well tested by a big community!
Searching for plausible denyability in a password manager I came across this ticket and a discussion in the keepassX forum[0].
As there seems to be confusion about the concept and why it may be important I'd like to take some time to clearify that.
Saving your password encrypted is an important step to protect yourself from attackers that are able to access the file, but not the knowledge it your head (or wherever you store it). There are many attackers that are powerfull enough to get the knowledge from your head. Many people you are in a possition to tell you: "if you don't give me the password, I will XY". In that situation you have to decide on giving up your password or living with the consequences of not doing it. That doesn't have to be waterboarding. It may be that you loose your job or partner. If you happen to live in the UK, you may risk being send to jail[1].
The only protection against that second kind of attack is hiding the fact, that you hide something. That's called steganography. A common example of this is saving some message in an image file that can only be extracted, if you know about it. That same idea is the root of plausible deniability. You try to hide the fact, that you have important data (like your passwords) stored somewhere.
Keepass allows doing this, by choosing a unobtrusive file name and storing it in an area where an attacker may not suspect it to be. (Maybe a config.ini somewhere in C:\Programs) So I assume the developers of KeePass are aware of those dangers and want to take measures to protect their users.
Hiding your KeePass file is a good step, but if the attacker knows about computers, she will find out what files you open regularly and if she opens your "config.ini" it will be clear, that this is not a configuration file but something else. In that situation it will be hard to plausibly deny that you are hiding something.
The fact that encrypted data does usually look supspicious makes it hard to effectifly hide it - until you get the idea to hide it in more encrypted data. That's essentially what this topic is about and that's also what TrueCrypt is doing. You create an encrypted container and can't really hide the fact that it's there, but when you open that container, you can supply a second password to decrypt a second container. An attacker may get the first layer of your secrets, but she has no way to tell how many layers there are. That gives you plausible denyability.
To get this feature in KeePass, it would be necessary to redefine the data format. It should not be possible, to directly correlate the amount of encrypted data with the size of the file. You have to make the file arbitrarily bigger such that you have space left to either store "hidden volumes" or random data that is indistinguishable from a hidden volume.
This is clearly not a feature that everyone needs or wants to use, but I think steganography is an important tool. The more people know about it and are able to use it, the better.
During my research on the topic I found a project[2] that is creating a password manager with "hidden containers". But as it's a command-line tool it will never get mainstream and it's also young and maybe not ready for prime time yet. Still definitively worth to keep an eye on it.
Thank you KeePass developers!
Your work is empowering people!
[0] https://www.keepassx.org/forum/viewtopic.php?f=1&t=3361
[1] http://www.legislation.gov.uk/ukpga/2000/23/section/53
[2] https://github.com/bwesterb/pol
I second this request, although I admit that its a rather rare use case scenario. Some audiences like human rights defenders under repressive regimes occasionally have to give up their passwords to local law enforcement and they would appreciate it there was a chance to give up the one that would not reveal and unlock their work-related accounts.
KeePass does not provide this functionality, use VeraCrypt (the successor to TrueCrypt) to store KeePass and the database, then you can deny you use a password manager.
Even better, use an SSD with hardware encryption (e.g. Samsung 850 EVO) and never sleep/hibernate the PC.
cheers, Paul
I too would really like this feature. It's not just "human rights defenders under repressive regimes". In the UK (as sssSCH says) you can be compelled by law to give up an encryption key.
It's worth noting that there may be users staying silent about their support of this feature; I definitely stopped to consider whether to post. If at some point in the future I were ever under investigation, and this feature were implemented, and this post came to light, it might be construed as evidence that I could be hiding a second database.
Too paranoid methinks. :)
cheers, Paul
Yeh. That's fair about the staying silent - it was getting late, and I was feeling a bit frazzled.
But the main point still stands.
I like the idea but you can do it via VeraCrypt, you don't need KeePass to do it.
cheers, Paul
You can, but using VeraCrypt is much more suspicious and thus less deniable. (and worse from a usability point of view)
That's why it would be preferable to have such a feature in a widespread tool like KeePass.
@sssSCH : You hit the nail.
Btw:
Setting up VeraCrypt, placing the keypass file and then using the KeyPass App is inconvenient.
If plausible deniability is impossible,
why not using VeraCrypt as KeyPass's native "file format" and storing keypass entries as files and folders...