4

A common advice for storing passwords is to store them into an encrypted file, for example by using a dedicated software such as KeePass2. To keep this file in sync between several computers, the advice goes, the file is put on an online storage such as Dropbox. I have seen this solution proposed many times as an alternative to using browser plugins such as LastPass -- and perhaps is it indeed a superior solution.

In this scenario, I think, the online storage itself is not considered secured -- it is supposed to be either hackable, or itself actively eavesdropping.

Yet from what I understand from some answers read here, it is not safe to encrypt several files with the same key. And of course, a file containing passwords is deemed to be updated regularly.

So my question is, should we consider that having access to a (large) history of an encrypted file when this file is encrypted with the same key is a security flaw? Is this a general rule or are there encryption algorithms for which this is not that a problem? What about KeePass(2) more specifically and what to think about the advice above about online storage of kdbx files?

Improve this question
2
  • Well, I do host my kdbx file on google drive and I'm feeling still safe... Commented Jun 16, 2015 at 20:14
  • I actually think this is a pure crypto question: it looks like a "known-cyphertext" attack question to me. Commented Jun 17, 2015 at 0:20

1 Answer 1

Reset to default
4

it is not safe to encrypt several files with the same key

This statement isn't fully true.
It is indeed not a good practice to encrypt many files using the same (data) key, but it is still absolutely acceptable, as modern ciphers resist attacks even if gigantic amounts of data encrypted with the same key are provided (whole drives aren't enough).
What can get wrong with encrypting multiple file with the same piece of data is to re-use the IV, which will indeed lead to severe attacks.

So my question is, should we consider that having access to a (large) history of an encrypted file when this file is encrypted with the same key is a security flaw?

No.
If your password is strong enough, KeePass does an excellent job at protecting the database. The above IV flaw is mitigated by KeePas by simply renewing the IV each time the database is saved. Hence the passwords are safe, no matter how many versions are available.
In general: Key reuse is only an issue if you think you may loose the key. IV reuse is much worse but can easily mitigated, which is often done.

Is this a general rule or are there encryption algorithms for which this is not that a problem?

This is a general rule (that ciphers are immune to such attacks), which is only violated by really bad ciphers, which can be attacked by having enough known plaintext (look at FEAL for example).

What about KeePass(2) more specifically and what to think about the advice above about online storage of kdbx files?

As far as I can tell KeePass is really secure and protects database effectively. Storing the kdbx files online isn't a security risk, as the password protects the database and it prevents you from actually loosing the database.

Improve this answer
2

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.