[Gpg4win-users-en] KeePass 2 problem

[Werner Koch]

On Tue, 24 Apr 2012 00:01, C.Krueger at gmx.org said:

> That's absolut senseless, it makes nothing harder since source is
> available. It only makes things uncomfortable.

Nope.  You might now that GnuPG is actually a Unix application and
Pinentry is based on X11.  A common basic protection is to grab mouse
and keyboard to avoid simple sniffing attacks.  Under Windows you have
similar basic protection - cut and paste can't be used for simple
attacks.

The availability of source code is irrelevant.  The general rule is: if
an attacker has any kind of illegitimate access to a box, you need to
consider the box compromised.  Neither KeePass nor GnuPG can avoid it.
We may only try to make it a little bit harder.

> Since GnuPG has no password store, there is no alternative.
> Keepass is the single store and it makes perfect sense to paste the
> password to gpg. Keepass even clears the clipboard automaticly.

The question is why you need to store the passphrase somewhere else
protected under a different passphrase.  GnuPG tries to protect the key
very well.  Storing that passphrase in another file under yet another
passphrase does not help at all.  The passphrase should be memorized and
typed in.  By setting the caching time in gpg-agent.conf you can adjust
the time of exposure to a value of your choice.  But remember, that will
only help against leaving your box unattended and not against any
installed malware.

This is actually an old an fruitless discussion.  Check the gnupg-users
archive.

If you want to have a c+p feature, please write a new pinentry which
allows for this.  It is not hard to do that; the standard pinentry
source provides the framework to implement all kinds of pinentries.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.