|
|
<!--------------------------------------------------------------------------->
<!-- INTRODUCTION
The Code Project article submission template (HTML version)
Using this template will help us post your article sooner. To use, just
follow the 3 easy steps below:
1. Fill in the article description details
2. Add links to your images and downloads
3. Include the main article text
That's all there is to it! All formatting will be done by our submission
scripts and style sheets.
-->
<!--------------------------------------------------------------------------->
<!-- IGNORE THIS SECTION -->
<html>
<head>
<title>The Code Project</title>
<style>
BODY, P, TD { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt }
H2,H3,H4,H5 { color: #ff9900; font-weight: bold; }
H2 { font-size: 13pt; }
H3 { font-size: 12pt; }
H4 { font-size: 10pt; color: black; }
PRE { BACKGROUND-COLOR: #FBEDBB; FONT-FAMILY: "Courier New", Courier, mono; WHITE-SPACE: pre; }
CODE { COLOR: #990000; FONT-FAMILY: "Courier New", Courier, mono; }
</style>
<link rel="stylesheet" type="text/css" href="http://www.codeproject.com/styles/global.css">
</head>
<body bgcolor="#FFFFFF" color="#000000">
<!--------------------------------------------------------------------------->
<!------------------------------- STEP 1 --------------------------->
<!-- Fill in the details (CodeProject will reformat this section for you) -->
<pre>
Title: Password Safe Database Reader
Author: Svante Seleborg
Email: svante@axantum.com
Member ID: 229979
Language: C# 2.0
Platform: .NET 3.0
Technology: Cryptograhpy
Level: Intermediate
Description: An independent implementation to read Password Safe Password Manager V3 database files.
Section General C#
SubSection C# Libraries
</pre>
<!------------------------------- STEP 2 --------------------------->
<!-- Include download and sample image information. -->
<ul class="download">
<li><a href="Axantum.PasswordSafe.zip">Download source - 60 Kb</a></li>
</ul>
<!------------------------------- STEP 3 --------------------------->
<!-- Add the article text. Please use simple formatting (<h2>, <p> etc) -->
<h2>
Introduction</h2>
<p>
Password Safe is an open source password manager available for download at <a href="http://passwordsafe.sourceforge.net">
sourceforge</a>, written in MFC/C++. This is a useful program, but I had a need
to integrate the possibility to import such content to my <a href="http://www.axantum.com/Xecrets/">
online</a> password manager which uses a format based on <a href="http://www.w3.org/TR/xmlenc-core/">
Encrypted XML</a>.
</p>
<p>
There are many potentially creative things to do with Password Safe files, but many
such ideas may be stopped by the apparent difficulty of decrypting and interpreting
the database format used. This library provides an easy to use interface, patterned
on the general .NET Framework readers, such as XmlReader.
</p>
<h2>
Background
</h2>
<p>
Read the background of Password Safe at their web site, but briefly this originated
as a product from <a href="http://www.schneier.com">Bruce Schneier</a>, at <a href="http://www.counterpane.com/">
Counterpane</a> who subsequently published the source code, and it now lives
an independent life at <a href="http://sourceforge.net">Sourceforge</a>.
</p>
<p>
The code presented only implements a <code>PasswordSafeReader</code> at this time,
but it should be relatively trivial to follow the general implmentation pattern
to make a <code>PasswordSafeWriter</code>. If anyone makes such a beast, I'll be
happy to integrate the source.
</p>
<h2>
Using the code
</h2>
<p>
The solution in the source code package contains two projects, one for the actual
library, one for a simple demo and test using the <a href="http://www.nunit.org/">NUnit</a>
framework to demonstrate usage as well as to provide a validation of the implementation.
</p>
<p>
The basic reader loop, devoid of error checking (the reader will throw InvalidDataException
for a bad key or bad database format, and InvalidOperationException for an internal
implementation error) can look like this:
</p>
<p>
<pre>
PasswordSafeHeader header;
List<PasswordSafeRecord> records = new List<PasswordSafeRecord>();
using (PasswordSafeReader reader = new PasswordSafeReader(stream))
{
reader.SetPassphrase(password);
while (reader.Read())
{
switch (reader.CurrentPartType)
{
case PasswordSafePartType.Header:
header = reader.Header;
break;
case PasswordSafePartType.Record:
records.Add(reader.Record);
break;
default:
break;
}
}
}
}
</pre>
</p>
<h2>
Points of Interest
</h2>
<p>
An interesting discovery when implementing this code, was that I discovered a minor
security flaw in the format. The database is encrypted and also protected with a
keyed hash, an HMAC to ensure the integrity of the data. The problem is that the
HMAC does not actually protect all the the bits it should, it does not protect the
format meta data, i.e. record lengths and field type codes. The real-world risk
of this is low, since it is all encrypted, but it's still a flaw.
</p>
<p>
Password Safe has gone through several generations, this code implements the Version
3 format, which among other things of note use the <a href="http://www.schneier.com/twofish.html">
Twofish</a> block cipher for encryption. The Twofish implementation used was
written by <a href="http://www.codeproject.com/cs/algorithms/twofish_csharp.asp">Shaun
Wilde</a>.
</p>
<p>
The source code as published here is licensed under the GPL version 3.0 - but if
this is a problem for your project, in most cases I'll be happy to license it to
you for free under less restrictive terms. Just send me an e-mail.
</p>
<h2>
History
</h2>
<p>
This is version 1.0.0.0 .
</p>
<!------------------------------- That's it! --------------------------->
</body>
</html>
|
By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.
If a file you wish to view isn't highlighted, and is a text file (not binary), please
let us know and we'll add colourisation support for it.
I've been working with all aspects of software development since 1979 - from compiler construction to management. Currently I'm an independent consultant mostly specializing in computer security. Please see my homepage for contact details.
I speak C like a native, and have a pretty good grasp of C++. The most recent five years C# has been the main development language. Traditionally Unix has been the dominating environment, but currently the scales have tipped over to Windows, due to market demands but I'm equally at home developing in both environments.
When I'm not coding I'm usually sitting on one of my 4 bikes, indoors or outdoors, on the road or in the woods.
Submit an article or tip