Hi There!
As suggested Im posting my request here:
I'm an 22-Years old ICT-Trainee at my second Year in Switzerland.
Now one of my actual projects is a Keypass purely made in PowerShell. It will be an OpenSource project for everyone. Now I finished my Alpha and would like to test the security of my application.
Therefore I'm looking for tester who would like to Test my Programm.
Are some of you interested in giving a try, and test the security of my application?
So I could learn a lot of my mistakes and enhance my skills.
Finally I want to help other Trainees archieving skills in programming and show with my example how they can start such a project.
If you want I can tell you more about the encryption Methods I'm using.
I hope you enjoy my Idea. (-:
Greets.
Ps. I'm so sorry for my bad english.
Security Testing for Powershell-Based Keypass
Forum rules
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
- dan.potter
- Posts: 709
- Last visit: Wed Nov 14, 2018 11:39 am
Re: Security Testing for Powershell-Based Keypass
It's a multiform Project, shall I make a post for every File?dan.potter wrote:sure, post your psf here.
/edit I'll Post a One Drive Link in here.
https://1drv.ms/u/s!AiamppDdqWJW1BRG83knXFXdu8VO
Here's the link to the Alpha. (-:
Last edited by roebix3 on Mon Oct 03, 2016 12:18 pm, edited 2 times in total.
- dan.potter
- Posts: 709
- Last visit: Wed Nov 14, 2018 11:39 am
Re: Security Testing for Powershell-Based Keypass
I just updated the Link.dan.potter wrote:you can zip it and post if you want.
Re: Security Testing for Powershell-Based Keypass
Maybe I tell you something about the way I encrypt the Passwords, and how the Authentification works:
For Authentification I'm Hashing the MasterKey with HMAC and Compare it with it.
For Standard I Encrypt the Passwords with Rjindael (AES).
For each "Database" I create a new Intersecting Vector.
To make Sure you Can't use Password guessing Attacks, Im generating a Random 512 Byte Array for each Password.
For the Password itself I'm using the DB-IV.
Im generating the Salt in a special Way:
I take the DB -IV and the MasterKey in the non-HMAC form, put dem together and hash them with HMAC. The resulting HMAC key is my salt.
For generating the AES-Key I'm also using the Non-HMAC form of the MasterKey.
The encrypted password itselt is at the end a concatenation of the 512Byte Array -> To string with the Password I want to encrypt.
In this way I think I can make sure, there's no way to Guess the MasterKey.
Even if you have the SourceCode you won't be able to decrypt the Passwords without the original Masterkey.
Theres only one Problem I see at the moment: I have to save the MasterKey in a Variable. I still didn't found a better workaround for that..
Hope these information are helpfull for you!
For Authentification I'm Hashing the MasterKey with HMAC and Compare it with it.
For Standard I Encrypt the Passwords with Rjindael (AES).
For each "Database" I create a new Intersecting Vector.
To make Sure you Can't use Password guessing Attacks, Im generating a Random 512 Byte Array for each Password.
For the Password itself I'm using the DB-IV.
Im generating the Salt in a special Way:
I take the DB -IV and the MasterKey in the non-HMAC form, put dem together and hash them with HMAC. The resulting HMAC key is my salt.
For generating the AES-Key I'm also using the Non-HMAC form of the MasterKey.
The encrypted password itselt is at the end a concatenation of the 512Byte Array -> To string with the Password I want to encrypt.
In this way I think I can make sure, there's no way to Guess the MasterKey.
Even if you have the SourceCode you won't be able to decrypt the Passwords without the original Masterkey.
Theres only one Problem I see at the moment: I have to save the MasterKey in a Variable. I still didn't found a better workaround for that..
Hope these information are helpfull for you!
- dan.potter
- Posts: 709
- Last visit: Wed Nov 14, 2018 11:39 am
Re: Security Testing for Powershell-Based Keypass
The export-clixml is already encrypted and can only be opened by the user and computer that generated it.
I have used a similar function to store passwords in sql but for my local credsafe I just use the export-clixml functionality. Upon opening I authenticate my smartcard with pin and start a timer to detect when my computer is locked (which I always do). When I unlock my computer and try to access the credsafe I'm prompted to re-authenticate again. If smartcard is authenticated and the username on the smartcard matches hardcoded username in the script I can continue otherwise the form is closed.
I would recommend clearing the clipboard after five seconds or so.
I have used a similar function to store passwords in sql but for my local credsafe I just use the export-clixml functionality. Upon opening I authenticate my smartcard with pin and start a timer to detect when my computer is locked (which I always do). When I unlock my computer and try to access the credsafe I'm prompted to re-authenticate again. If smartcard is authenticated and the username on the smartcard matches hardcoded username in the script I can continue otherwise the form is closed.
I would recommend clearing the clipboard after five seconds or so.