[Question] Security of the Encrypted data #3
Comments
|
This is a really good question... I hope that this is impossible because this would break the whole system... Honestly, I haven't tried that yet... I will check if this is possible. EDIT: It might take some time, I'm quite busy with some other projects at the moment... |
|
I will try this under https://github.com/SeppPenner/WindowsHelloTest. |
|
For me, it wasn't possible to get this to work without the need to identify again :) Check the project under https://github.com/SeppPenner/WindowsHelloTest. You can run https://github.com/SeppPenner/WindowsHelloTest/blob/master/WindowsHelloTest.1Only.sln to encrypt the data into a file named As I said, I always needed to re-identify myself when running the |
|
@Angelelz Feel free to contact me again if you are able to somehow undergo this mechanism or if you have further questions. |
|
Thank you for taking the time to answer this question! I will fork that repository and work on it myself, and if needed, share my findings with you in this thread. I might even use it in my WinHelloUnlock plugin to provide it in .plgx file. |
Sure, no problem :) |
|
It happened exactly as I was afraid. It's easy to break the encryption if you use WindowsHello Library as code files instead of Nuget package, so that you can change some private static methods to public (or internal) like |
|
Ah okay. If you use this as a class and not from the nuget library, this might be. Well, I don't necessarily think that this is a security issue because it's used in a project you can control? |
|
The problem is, if it's used in a project I cannot control, I still can decrypt the data from that project using a simple console app like the one in my fork. Which I think defeats its purpose. With that in mind, any data saved "encrypted" with this library might as well be written in plain text! I think that is a real concern. But the hope is not lost, please check out the latest KeePassWinHello version, in which they sing a key with Windows Hello Biometry and that is used to encrypt data, I've been trying to understand it and verify it for the last couple of days. LMK what you think |
Have you tried to setup two different projects (in different locations) both having the same
I'm not sure if this solves the problem. If there is a key and this key is available somewhere, another programm can easily get access to the key as well. (As far as I understood it now). |
|
Yes, I've done a lot of research and now I have a better understanding of all of this. The problem is that this library just uses the default Windows Passport key to encrypt the data, and that key is obviously available for the user. To make the Windows Hello Security prompt appear, they just set a property to that key called In the latest version of KeePassWinHello they now create a custom persistent key that is signed with Windows Hello. To use that key, you actually have to use Windows Hello Security Prompt because it's required by the key to decrypt data. I still managed to find a couple of problems with their implementation that I can exploit using a console app. It is a private project because of its security nature but I added you and KeePassWinHello developers as collaborators for you all to check out. |
Is it possible to get the key without the prompt in this scenario? Ah, you mean, they just set the parameter
Ok, that sounds better.
Mhm, bad :D I will have to check this as well... |
Exactly!
Yes. You can check out some more details in the issue I opened in my console app for KeePassWinHello developers. |
|
Well, as you can see they fixed the issue. If you want, I can start helping you update this library with persistent key feature and maybe even credential storage too. I would do it on my own, but I prefer to help you because I don't know how to build a nuget package! |
That would be a good idea. You have a better understanding of the issue and the implementation now, I guess...
Well, you couldn't upload a nuget package with the same id either way (It's linked to the login I assume), but generating one is actually quite easy now. Do you use Visual Studio 2019? When you right-click on a project and go to |
I use VS 2017, should I upgrade? |
You don't need to. I can update this nuget package easily after your changes are merged. I'm just not sure if this already works with the 2017 version. |
Trying to push into a new branch on this repo I'm getting this error. I guess I don't have privileges to write. Should I just fork this and create PRs from there? Also, I'm not familiar with the VS's test functionality, when I start debugging WindowsHello.Tests what am I expecting? A console appears briefly and exits immediately? |
Yeah, that's true. Can you fork this repository and create a pull request? This would be the easiest way. (Fork my repository, push something to your forked one, e.g. https://github.com/Angelelz/WindowsHello/ and create a pull request on github.com afterwards). That's how I do it and it's the easiest way I guess.
Do you run this project via the By the way, thank you already for your time with this issue 👍 I would probably need longer to integrate this into the project. |
|
Just for your information (I know, this is long fixed), but I have created a security advisory for the users here: GHSA-wvpv-ffcv-r6cw |
Hi ! Thanks in advance ! |
|
@NicoleG25 Basically, it's this one: a90c0cc. However, due to formatting changes, there have been a lot of unnecessary changes I reverted later... That's why it looks more complex than it actually is... So, the interesting file is |
|
New reference to Github advisory repo: GHSA-wvpv-ffcv-r6cw |
|
Hi @SeppPenner, @Angelelz: Would you mind summarizing within a few words on how 1.0.4 fixes this issue? I know it's done in a90c000, but still it's too huge to analyze. Is the data now being saved into credential storage? As far as I can see from the readme, it is, please confirm. :) Thank you very much! |
|
Well, the main changes were done in WindowsHello/WindowsHello/, file And as a quote from @Angelelz:
|
If I use this library to encrypt text and write the output to a txt file, could another executable be able to decrypt the text using the static method
NCryptDecryptfrom this same library, without the need to use Windows Hello Authentication?Maybe for somebody the answer to this question is clear from the code, but I'm just learning, and I do it in my spare time. Thanks.
The text was updated successfully, but these errors were encountered: