keepassxc/src
Jonathan White fff1b49f73 Prevent byte-by-byte and attachment inference side channel attacks
Attack - KeeShare attachments can be inferred because of attachment de-duplication.

Solution - Prevent de-duplication of normal database entry attachments with those entry attachments synchronized/associated with a KeeShare database. This is done using the KeeShare database UUID injected into the hash calculation of the attachment prior to de-dupe. The attachments themselves are not modified in any way.

--------

Attack - Side channel byte-by-byte inference due to compression de-duplication of data between a KeeShare database and it's parent.

Solution - Generate a random array between 64 and 512 bytes, convert to hex, and store in the database custom data.

--------

Attack vector assumptions:
1. Compression is enabled
2. The attacker has access to a KeeShare database actively syncing with the victim's database
3. The victim's database is unlocked and syncing
4. The attacker can see the exact size of the victim's database after saving, and syncing, the KeeShare database

Thank you to Andrés Fábrega from Cornell University for theorizing and informing us of this attack vector.
2024-03-09 15:21:46 -05:00
..
autotype Add 1Password 1PUX and Bitwarden JSON Importers 2024-03-09 15:21:46 -05:00
browser Passkeys improvements (#10318) 2024-03-09 15:21:46 -05:00
cli Set test locale to C 2024-03-09 15:21:46 -05:00
core Prevent byte-by-byte and attachment inference side channel attacks 2024-03-09 15:21:46 -05:00
crypto Add support for Botan3 (#8994) 2023-05-07 23:19:18 -04:00
fdosecrets Minor changes to Group API to make it more explicit 2024-03-09 15:21:46 -05:00
format Prevent byte-by-byte and attachment inference side channel attacks 2024-03-09 15:21:46 -05:00
gui Add 1Password 1PUX and Bitwarden JSON Importers 2024-03-09 15:21:46 -05:00
keeshare Add 1Password 1PUX and Bitwarden JSON Importers 2024-03-09 15:21:46 -05:00
keys Automatically detect USB device changes 2024-03-09 15:21:46 -05:00
post_install Run macdeployqt only once at install time 2022-03-21 00:15:57 +01:00
proxy Add support for Botan3 (#8994) 2023-05-07 23:19:18 -04:00
qrcode Removing QWidget dependency from src/core. 2021-11-12 07:41:30 -05:00
sshagent Greatly improve performance when rendering entry view (#9398) 2023-05-07 23:19:48 -04:00
streams Optimize includes across code base 2021-07-13 22:08:33 -04:00
thirdparty Link ykcore against pthread (#7807) 2022-09-22 06:49:07 -04:00
touchid Fix TouchID not being shown after lid close 2024-03-09 15:21:46 -05:00
updatecheck Optimize includes across code base 2021-07-13 22:08:33 -04:00
winhello Properly handle Windows Hello errors 2023-02-19 08:28:59 -08:00
zxcvbn Add support for Microsoft Visual Studio buildchain 2021-09-19 17:16:45 -04:00
CMakeLists.txt Add 1Password 1PUX and Bitwarden JSON Importers 2024-03-09 15:21:46 -05:00
config-keepassx.h.cmake Add basic support for WebAuthn (Passkeys) (#8825) 2024-01-30 18:26:45 -05:00
git-info.h.cmake Cleanup CMakeFiles prior to release 2019-01-30 15:03:03 -05:00
main.cpp Set test locale to C 2024-03-09 15:21:46 -05:00