Proposal: KeePass integration

[freynder]

Hello all,

I would like to propose implementing KeePass integration in the core client. This would allow us to leverage all the security features that KeePass brings and make the client more secure.

More info regarding KeePass: http://keepass.info/

I believe this could be a key feature and would like to implement this for the darkcoind client v0.11 first. Core team, please let me know if this would be desired. If so, I would like to start working on this asap as I currently have a few days of availability to spend on this.

Did some preliminary investigation and here is what I would like to propose:

How:
KeePass integration will use KeePassHttp (https://github.com/pfn/keepasshttp/) to facilitate communications between the client and KeePass. KeePassHttp is a plugin for KeePass 2.x and provides a secure means of exposing KeePass entries via HTTP for clients to consume.

The integration would tie in with the following commands:

• walletpassphrase <passphrase> <timeout> [anonymizenonly]: if keepass is active and passphrase is 'keepass', the passphrase is retrieved from keepass
• walletpassphrasechange <oldpassphrase> <newpassphrase>: ik keepass is active and oldpassphrase is 'keepass', the passphrase will be updated in keepass

Prerequisites:
- have keepass2 installed
- have keepasshttp installed

Config and command line options:
-keepass=1 Use KeePass 2 integration using KeePassHttp plugin (default: 0)
-keepassdb=<name> KeePass database to use (mandatory when keepass integration is active)
-keepassentrytitle=<name> KeePass entry title that stores the the wallet password
-keepasshttplabel=<name> KeepassHttp label that stores the encryption key
-keepasshttpkey=<key> KeePassHttp key for AES encrypted communication with the plugin

Set up steps:
1) Configure the following entries in the client .conf file: keepass=0, keepassdb and keepassentrytitle
2) Run the client
3) In the console, type: keepass init <label>
This will generate an AES key and populate it in the keepass database with the specified label. If an encryption key with the same label already exists, KeePass will ask for confirmation to overwrite. The command will return the additional configuration parameters for the .conf. Example:
keepasshttplabel=mainwallet
keepasshttpkey=SAV9dMzsJFi3Vp6X3RqGjLJHjp7D2j3zkTFOrlTyeYE=
4) Modify .conf file by setting keepass=1 and copy pasting the keepasshttplabel and keepasshttpkey values
5) Restart client

 

[fernando]

I love keepass. I use it extensively with keepasshttp and I don't believe I could get to my own bathroom without it.

I can only say that if you do it, I'll use it. However, I'm not sure if this is a great idea from a security perspective. Integrating third party services in the core client could bring new risks and attack vectors. I don't know enough as to fully assess the risks, but I'm worried that keepasshttp could be hacked and then pass malicious information to the wallet when it requested the password. Or it could just send the password somewhere else. Would this be possible?

 

[crowning]

Hello all,

I would like to propose implementing KeePass integration in the core client. This would allow us to leverage all the security features that KeePass brings and make the client more secure.

Nice idea, but unfortunately it will make the client less secure.

Right now, the client is secured with a passphrase in a similar way the master password of KeePass is. It's safe.

Someone who gets this passphrase (via a keylogger or something like this) could do the same with KeePass, so Darkcoin won't gain anything from that.

But, each additional line of code, each interface and API, opens a lot of new possible attack vectors to the Darkcoin client. I see absolutely no need to add a password database to a program which in itself needs one single password to work properly and secure.

And you can still use the traditional KeePass program to save your Darkcoin passphrase and enter the passphrase via cut & paste.

It's similar to the re-occuring feature request to add a secure chat to the Darkcoin client: nice to have, but a wallet should do (and only do) what it's designed for, keep your precious Darkcoins safe and warm and allow the occasional transaction :smile:

 

[freynder]

Nice idea, but unfortunately it will make the client less secure.

Right now, the client is secured with a passphrase in a similar way the master password of KeePass is. It's safe.

Someone who gets this passphrase (via a keylogger or something like this) could do the same with KeePass, so Darkcoin won't gain anything from that.

But, each additional line of code, each interface and API, opens a lot of new possible attack vectors to the Darkcoin client. I see absolutely no need to add a password database to a program which in itself needs one single password to work properly and secure.

And you can still use the traditional KeePass program to save your Darkcoin passphrase and enter the passphrase via cut & paste.

It's similar to the re-occuring feature request to add a secure chat to the Darkcoin client: nice to have, but a wallet should do (and only do) what it's designed for, keep your precious Darkcoins safe and warm and allow the occasional transaction :smile:

Thanks for the feedback.

KeePass offers several advantages though that would be leveraged by the integration. Example: 2 factor authentication (using key file or certificate), OTP (using a plugin). The integration would allow darkcoin to use all security features that KeePass has to offer, which is much more than just a single passphrase.

Another advantage of the integration vs traditional copy paste is that the passphrase would not need to be copied to the clipboard or simulated keypresses, eliminating those attack vectors.

Finally, removing the need to copy paste from the password manager would make the client more user friendly.

 

[freynder]

I love keepass. I use it extensively with keepasshttp and I don't believe I could get to my own bathroom without it.

I can only say that if you do it, I'll use it. However, I'm not sure if this is a great idea from a security perspective. Integrating third party services in the core client could bring new risks and attack vectors. I don't know enough as to fully assess the risks, but I'm worried that keepasshttp could be hacked and then pass malicious information to the wallet when it requested the password. Or it could just send the password somewhere else. Would this be possible?

Anyone would be free to use it, or not if he has a concern with it. The original client security with the passphrase would still be in place, the integration would just offer a way to securely transmit the passphrase from the password manager to the client.

Regarding security, please have a look at https://github.com/pfn/keepasshttp . The bottom of the page discusses security and protocol. Basically, security is ensured by a 256bit AES key. Any client that wants to connect to KeePassHttp needs such key. The key is stored in the KeePass database. I would suggest using a seperate KeePass database for coin clients vs the regular one for web passwords. That way the browser KeePass plugins would not be able to see any keys for the wallets.

The same mechanism is already used by the chromeIPass and Passifox plugins, they also communicate with KeePassHttp to retrieve the passwords.

 

[UdjinM6]

That's an interesting idea. However I never used KeePass (though I heard of it) so I don't really understand the way it should work being integrated with client.

• walletpassphrase <passphrase> <timeout> [anonymizenonly]: if keepass is active and passphrase is 'keepass', the passphrase is retrieved from keepass

This part ^^^ is confusing to me, can you clarify please:
- Should I run keepass and unlock it with master password when I'm issuing this command in qt-client?
- What will prevent some malicious software to simply execute RPC request with passphrase "keepass"? No key logger is needed as passphrase is always the same and unlocking is done "behind the scenes", right?

 

[fernando]

- Should I run keepass and unlock it with master password when I issuing this command in qt-client?

Yes, you need KeePass unlocked so the client that wants data (not only passwords, you can pass other data in the entry) through KeePassHttp can get it. I use chromeIPass and I have a very fast auto lock time in KeePass, so I have to type my super long master password all the time I still prefer it because I only need to remember that one, and then it manages all my randomly generated passwords.

 

[eduffield]

I'm not opposed to this as a feature, although it does open up Darkcoin to an attack vector. But to attack wouldn't they require trojan to get the keepass vault and a keylogger to get your master password? If so that could be slightly more secure.

 

[UdjinM6]

I'm not opposed to this as a feature, although it does open up Darkcoin to an attack vector. But to attack wouldn't they require trojan to get the keepass vault and a keylogger to get your master password? If so that could be slightly more secure.

Hmm... Why would it need keylogger at all? Just sit there quietly, wait till user unlock keepass and then you can do walletpassphrase "keepass" and anything else by RPC. For me it looks even more unsafe then: most anti-viruses will detect keyloggers but which one of them will detect local networking on port higher then 1024 (and that's what RPC calls are) as suspicious?

 

[freynder]

Hmm... Why would it need keylogger at all? Just sit there quietly, wait till user unlock keepass and then you can do walletpassphrase "keepass" and anything else by RPC. For me it looks even more unsafe then: most anti-viruses will detect keyloggers but which one of them will detect local networking on port higher then 1024 (and that's what RPC calls are) as suspicious?

Try to think of unlocking KeePass as an alternative to unlocking the wallet. The risk is basically the same. The attack example you provide is similar to a process that sits quietly, wait until the user unlocks the wallet and do anything it likes by RPC.

 

[freynder]

I'm not opposed to this as a feature, although it does open up Darkcoin to an attack vector. But to attack wouldn't they require trojan to get the keepass vault and a keylogger to get your master password? If so that could be slightly more secure.

Indeed, the KeePass vault can be protected by additional security mechanisms besides the master password (two factor authentication using key or certificate, OTP), effectively removing one attack vector (key logger only).

 

[UdjinM6]

Try to think of unlocking KeePass as an alternative to unlocking the wallet. The risk is basically the same. The attack example you provide is similar to a process that sits quietly, wait until the user unlocks the wallet and do anything it likes by RPC.

Yep, I agree with this. However I don't see keepass as more secure method but as another method to unlock only. No offense but until wallet itself is using 2fa internally for every operation (or smth like this) everything else is like placing a new shiny lock but keeping the same old wooden door.

That doesn't mean we wouldn't want that new lock though :wink: "Darkcoin (privacy-centric coin) integrates with KeePass (an open source password keeper software)". Sounds good to me. This might bring more attention to us. Reading through their site I also noted this http://keepass.info/donate.html - they use soooo strange methods to accept donations. Credit cards, paypal.. ok... but... wire transfers?? really?? :what: Guess what I thought then? Imagine we integrate them and they start accepting donations in DRK... also this "If you want to get your company listed in the table above, please contact the KeePass team for details before making a donation." tungfa ? :smile:

tl;dr; More secure? Not that much. But shall we do this? I would say let's give it a try and see how it goes.

 

[freynder]

Yep, I agree with this. However I don't see keepass as more secure method but as another method to unlock only. No offense but until wallet itself is using 2fa internally for every operation (or smth like this) everything else is like placing a new shiny lock but keeping the same old wooden door.

None taken, I appreciate everyone's input and concerns.

 

[tungfa]

Yep, I agree with this. However I don't see keepass as more secure method but as another method to unlock only. No offense but until wallet itself is using 2fa internally for every operation (or smth like this) everything else is like placing a new shiny lock but keeping the same old wooden door.

That doesn't mean we wouldn't want that new lock though :wink: "Darkcoin (privacy-centric coin) integrates with KeePass (an open source password keeper software)". Sounds good to me. This might bring more attention to us. Reading through their site I also noted this http://keepass.info/donate.html - they use soooo strange methods to accept donations. Credit cards, paypal.. ok... but... wire transfers?? really?? :what: Guess what I thought then? Imagine we integrate them and they start accepting donations in DRK... also this "If you want to get your company listed in the table above, please contact the KeePass team for details before making a donation." tungfa ? :smile:

tl;dr; More secure? Not that much. But shall we do this? I would say let's give it a try and see how it goes.

ok
I look into this in a day or two !
tx

 

[UdjinM6]

ok
I look into this in a day or two !
tx

No rush here Merry Xmas :smile:

 

[tungfa]

Yep, I agree with this. However I don't see keepass as more secure method but as another method to unlock only. No offense but until wallet itself is using 2fa internally for every operation (or smth like this) everything else is like placing a new shiny lock but keeping the same old wooden door.

That doesn't mean we wouldn't want that new lock though :wink: "Darkcoin (privacy-centric coin) integrates with KeePass (an open source password keeper software)". Sounds good to me. This might bring more attention to us. Reading through their site I also noted this http://keepass.info/donate.html - they use soooo strange methods to accept donations. Credit cards, paypal.. ok... but... wire transfers?? really?? :what: Guess what I thought then? Imagine we integrate them and they start accepting donations in DRK... also this "If you want to get your company listed in the table above, please contact the KeePass team for details before making a donation." tungfa ? :smile:

tl;dr; More secure? Not that much. But shall we do this? I would say let's give it a try and see how it goes.

sorry, confused
what are we looking for ?!
- Keepass accepting DRK donations ?
- Keepass integration into DRK core ? (we do not have to contact them for that)

??
tx

 

[UdjinM6]

sorry, confused
what are we looking for ?!
- Keepass accepting DRK donations ?
- Keepass integration into DRK core ? (we do not have to contact them for that)

??
tx

Accepting donations in DRK. Here is an idea:
- they have users outside crypto (they themselves actually are outside of crypto as I see from their donations method http://keepass.info/donate.html )
- their users are concerned about safety of their passwords and other private info.
Might be a perfect match for us to expand to this kind of users. Maybe they can mention this new way of donations somehow to their users?

If freynder considers integrating with KeePass and we match both events together could this be a good PR move? Just making some assumptions...

PS. I'm not a PR guy you know, so don't take these assumptions too serious I might be saying something weird :smile:

 

[tungfa]

Accepting donations in DRK. Here is an idea:
- they have users outside crypto (they themselves actually are outside of crypto as I see from their donations method http://keepass.info/donate.html )
- their users are concerned about safety of their passwords and other private info.
Might be a perfect match for us to expand to this kind of users. Maybe they can mention this new way of donations somehow to their users?

If freynder considers integrating with KeePass and we match both events together could this be a good PR move? Just making some assumptions...

PS. I'm not a PR guy you know, so don't take these assumptions too serious I might be saying something weird :smile:

tx
got it !

freynder please keep me posted how the integration idea develops
i will ping them on a friendly bases and suggest DRK for donations as we 'might' integrate keepass and are generally (as a community who is privacy concerned) interested

Edit: contacted them (germans too)

 

[freynder]

Great to hear that, thanks!

I've started development yesterday and expect a first working version today or tomorrow. Will keep you posted.

 

[freynder]

Small update: There is a first working version ready in dev. Available at https://github.com/freynder/darkcoin/tree/keepass

It will need some considerable refactoring though as I'm not very happy with what the code looks like. It makes use of crypter.h and openssl base64 enc/decoding which impose a lot of conversions through casts and memcpy operations. Also needs to be reviewed for secure allocation.

This will be done in the next few days.

Some additional information for the current version:

Sample darkcoin.conf extract:

keepass=1
keepasskey=JGOzqSKJD4qFCZwLyBiPmJxRlARJdMb72mTWP9D8UGg=
keepassurl=http://darkcoin.io/localwallet?label=test
keepassid=MyDarkcoins​

Sample initialization flow from darkcoin-qt console (this needs to be done only once to set up the association):

• Have KeePass running with an open database
• Add an entry in KeePass for storing the wallet passphrase. Choose a unique url (unfortunately, a url is needed to match the entry)
• Start darkcoin-qt
• Open console
• type: "keepass init" in darkcoin-qt console
• (keepass pops up and asks for an association id, fill that in)
• response: Association successful. Id: test_darkcoin - Key: AgQkcs6cI7v9tlSYKjG/+s8wJrGALHl3jLosJpPLzUE=
• Edit darkcoin.conf and fill in these values
• Restart darkcoin-qt

Sample usage:

• To unlock the wallet, one can now type walletpassphrase keepass 60. This will retrieve the password from keepass and unlock the wallet.