12
submitted 1 year ago* (last edited 1 year ago) by Kalcifer@lemmy.world to c/cybersecurity@sh.itjust.works

I apologize in advance if this is the wrong community for this post. If so, please point me in the right direction of where I should post this.


I'm thinking of trying out KeePassXC, and, when creating a new database, I came across the following settings:

Some of this is somewhat self explanatory to me ("Encryption Algorithm", and "Key Derivation Function"), but some of it not so much -- namely, "Transform Rounds" (I'm assuming that "Memory Usage", and "Parallelism" are more specific, not to the database on the whole, but, instead, to the decryption itself within the app, or, maybe, even just for the benchmark). What exactly is "Transform Rounds"? Does it mean that the passwords are encrypted over, and over again, in attempt to protect against dictionary attacks? I haven't been able to find any concrete information.

you are viewing a single comment's thread
view the rest of the comments
[-] hikaru755@feddit.de 13 points 1 year ago

Those last three input boxes are all parameters to fine tune the operation of the key derivation function, they control the performance and hardware usage characteristics of how to derive the actual database encryption key from your password in order to make it harder to brute force.

The Transform Rounds input essentially controls how much sequential processing power is needed by repeating a specific part of the KDF more or less often, and thus allows you to determine how long the key derivation will take every time. That's why there's a Benchmark button next to it - it will automatically test on your CPU and determine how many rounds are needed to produce a 1 second delay on your hardware. Which is an acceptable time to wait for your database to unlock, but bad news for someone trying to brute force your password, as it limits how many attempts different passwords they can test in a given time.

Memory usage controls the amount of memory the KDF needs, and Parallelism controls how many parallel threads are used, both limiting how many parallel attempts at brute forcing your password a potential attacker can run on any given hardware.

Disclaimer: I'm not a security expert, just a software developer who has come into contact with KDFs quite a bit. If I misrepresented anything above, happy for correction!

[-] xaera@sh.itjust.works 5 points 1 year ago

Great answer, it is similar to the cost parameter for bcrypt/scrypt and iterations for PBKDF2.

this post was submitted on 16 Jul 2023
12 points (100.0% liked)

Cybersecurity

5652 readers
159 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS