First of all many thanks to Dominik Reichl for creating KeePass Password Safe (http://www.keepass.info)
this plugin would not have existed otherwise
This is a dual cipher model with independent keys that uses two ciphers to encrypt the KeePass database doubling the data length with random pad. It follows a method as mentioned by Bruce Schneier in his book "Applied Cryptography".
Please click here for details
Version 2.1 for KeePass >= 2.41
This is a major rework of the original version 1.x of the plugin, it is recommended that older version is no longer used as this version attempts to make sure that the memory is cleared of any sensitive information and provides more choices of encryption algorithm.
For technical details check out the source repository at: https://github.com/titasraha/multicipher
Click here to download source code and other releases
Click here to download source code and other releases
Other Releases (Not Recommended)
Version 1.x - Updated for Keepass Version 2.39x and above
Version 1.0
There is no block padding and is filled with random bytes where the true length is indicated in the header, also AES key and IV is provided by keepass and only 3DES Keys and IV are generated.
n = Plaintext Length
m = Random pad of n bytes
b = Block pad length = 32 - n % 32 (but 0 if n%32 is 0)
b1 = block pad = b bytes of random data
b2 = block pad = b bytes of random data
Encrypted data format:
| Position | Length (Bytes) | Content |
| 0x00 | 0x01 | File Version currently 1 |
| 0x01 | 0x01 | Algorithm (currently 0 - indicates AES+3DES) |
| 0x02 | 0x20 | Random master seed for 2nd Cipher |
| 0x22 | 0x20 | Random seed to transformation for 2nd Cipher |
| 0x42 | 0x08 | Random IV bytes for 2nd Cipher |
| 0x4A | 0x08 | Transformation rounds default 10000 for 2nd Cipher |
| 0x52 | 0x04 | n |
| 0x56 | n+b | AES256(Plaintext XORred with m bytes + b1 bytes) |
| 0x56+n+b | n+b | 3DES(m bytes + b2 bytes) |
Key Generation:
AES Keys are provided by Keepass (Entry made during master password entry screen) and IV.3DES Keys are generated by combining the keys derived from the second password entered along with SHA256 of (Plaintext XORred with m bytes + b1 bytes).
Bugs/Suggestions? email me support@titasraha.com
It's a very nice plugin, for the paranoid :). The only complaint I have is that it is not universally compatible with any keepass port (Unless integrated by 3rd party developer, which isn't just yet). Hope to see stability updates/security improvements if necessary in the future :) Maybe make more algorithms availible, or seperate plugins with better algorithms such as TwoFish/ThreeFish, Serpent etc... 3Des doesn't seem as secure as other's, just an idea.
ReplyDeleteThank you for this added security :)
I agree more/better ciphers would be nice
ReplyDeleteSalsa 20 is kinda redudnatns with charchar20 since chacha20 is an improved salsa20
3Des is pretty meh and way to little security/speed efficiency.
Two fish and serpent would be nice. or the support to use other keepass cipher plugins
Issues:
on both my work and home computer running with multicipher i get an "error message" when i manualyl save my files.
It tells me the database have been modified and i need to select overwrite or sync up.
Is there for multicipher to no provoke this on manually saves ?
I've been experimenting with multicipher
ReplyDeleteBut on all my test computer using multicipher plugins makes Keepass unable to automatic save its file. After using it my keepass databased went corrupt (less data than expected).
Lovely blog you have heere
ReplyDelete