Steganos safe (2007 or 2008) password generator.

Hey !


I'm a user of Steganos Safe 2007 (not the Pro version with keyrecovery option). I don't trust this.

I do have questions about the built-in password generator they use.

If you make a new safe, you have the option to provide a password (i use 70 random characters) that is 280 binary-bits.

I know this is 6 charaters to much (for the 256-Bits AES) for maximum strength. But this is just a little safety margin.

You also get the option to safe a "keyfile" to a removable media for easy entry to the vault.

This keyfile is generated by steganos. So you get the option to open your safe with the password you provided, OR with the keyfile for easy entry.

my problem (question) is why is the password in the generated keyfile only 64-characters long (if you convert to .txt you can see it) if you have the option for manualy type password up to 100 characters ??

So the weakness is Not always the password you type yourself, but could reside in the key-generator in steganos !

Wich algorithm do they use to derivate the keyfile ? (hash function).

do they ad random bits (salt) or truly random bits derivated on mouse movements ?? or something else...

There is NO information on this ?

Does somebody knows more about this program that is worldwide used ?

(Steganos support didn't answer me)


Thanks !

 

Finaly got a answer from Steganos support better late then never :

ALthough they didn't respond to ALL my questions (yet)...
-----------------------------------------------------------

Method used to make the .SLE file (safe) :

We are using LRW-Mode to prevent from Watermark attacks.

------------------------------------------------------------
The HASH-function used to derivate the keyfile saved on a removable medium?

SHA-256 and RSA

------------------------------------------------------------
Random pool used to generate the keyfile ? .

Yes, during the creation process we capture random data from mousemovement, keybord etc.

------------------------------------------------------------
These answers came via email from Steganos support.

 

A stupid question...
Is the keyfile used INSTEAD of a user-provided password? or WITH it?
Because I use Keepass for my password storage and you have an option to use only a password or only a keyfile or BOTH (wich is the option I use, so only with my laptop AND an USB-drive I have access to my passwords).

I'm new to encryption so I'm trying to learn as much as I can...

 

The keyfile is used for "easy entry" stored on a removable medium (usb-stick...).

The moment you insert the medium the safe opens ,without the need to enter a long password. If you disconnect the medium, the safe closes.

The keyfile can't be used on is own. When creating a "VAULT" you HAVE to enter a password. At the same time you have the option to generate a keyfile to, but this is optional.

If you lose the keyfile, you can still open the safe with your provided password. So it's best that this password is altleast the strength of the keyfile.

 

Personally, I don't like the idea of having a program that will automatically open all my passwords with just a file available.

I have been using KeePass (http://keepass.info) for 2-3 years now if I remember correctly, and I love it. The current version does allow for using a or password only, keyfile only (which I currently do), or password and keyfile (which I'm changing to).

If you wish to access your password store, you either start or bring to focus KeePass, at which point it will ask for your Pass/file if it is locked. It can automatically lock your passwords on minimize, or after xx time. Useful if you use it and walk away from your PC. Someone walking past won't be able to just jump in and look at it left open.

If your worried about forgetting your password and/or losing your keyfile so you are unable to access your password store, what I've done is export my store to a text file, then encrypted it with GPG and put another copy in a TrueCrypt volume. I'm a big fan of multiple redundancies.

I know this isn't an advertising venue from another post but I do want to just add for completeness, KeePass is open source, and I'd suggest v1.10, as v2.x is alpha of "the next generation" of keepass. There are also ports for linux, MacOSX, WinCE, and even someone has made a U3 "application" out of it.

 

The feature to open the encrypted volume with only a key file is optional.

You can still use a long password ONLY. But there isn't the option to use a password & keyfile together to get access to the volume (unlike Keepass, Truecrypt, FreeOTFE ect....

Keepass is great software, but it isn't "Volume" encryption.

 

I'm curious. You said you can use a password if you lose your USB flash drive (or whatever you choose to host your keyfile). Is there a way to have NO option if you lose the hosted keyfile?