Kee Vault and Kee version 3.0

#22

Yes.

It presents no security risk because:

  1. The master password is never directly used for accessing the kdbx file or the Kee Vault authentication server. Instead, two different and cryptographically unrelated 256 bit keys are created - one per the usual kdbx access process (Argon2) and one using PBKDF2 (SHA-256 500 iterations).
  2. The resulting Kee Vault authentication key is never sent to the authentication server - instead SRP is used to verify both the server and the client (user) are who they say they are.

This means that server-side compromise reveals only an SRP verifier. Breaking this (cryptographically close to impossible - no one has done a similar thing yet) reveals only a 256-bit secret key that is unrelated to the information needed to open the kdbx file. In that worst-case scenario of SRP being broken, any attacker would still need to brute force via the PBKDF2 protected secret key before a master password could be revealed.

Additionally, the secret key contains salts including your email address to protect against large-scale (untargeted) attacks. Since your email address is AES encrypted in the database that contains the SRP verifier, this further reduces the chances that a remote server compromise is a feasible attack vector. All this essentially combines to mean that a client-side attack is the only feasible risk in this regard, and no client-side attacker is going to find that breaking SHA-256 or brute forcing PBKDF2 is the easiest approach to take once the client is compromised.

#23

Will this support the k-anonymity API for checking passwords against the “have I been pwned” database?

#24

Probably at some point. Feel free to open a separate discussion about how you’d like that feature to work.

#25

Kee v3.0 has now been submitted to the Firefox and Chrome stores!

As usual there’s no certainty about when they will actually appear or be pushed out as automatic updates to existing users but hopefully it will at least be sometime today. For the rest of the day I’ll be keeping an eye on this forum and working through a lot of text and image updates to the Firefox and Chrome store pages. In between that I’m working through a variety of improvements already planned for version 3.1 - as usual beta testers will be the first to get to try them out.

I’m now closing this thread so that doesn’t become a monster covering many different topics. If there are any conversations within that you would like to continue, please feel free to start a new more-specific topic. If there’s a post in this topic that you think should be extracted to a different topic just let me know and I’ll see what I can do.

To anyone that comes across this topic for the first time in the coming days, please do feel free to contribute to other topics in the new Kee Vault category or just post an “Uncategorised” topic if you want to talk about Kee version 3.0.

closed #26
pinned globally #27