You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems like there is some confusion in the codebase over v3 vs v4 databases. From what I can tell, libkeepass supports KeePass 1.x databases (.kdb) and a subset of KeePass 2.x datbases (.kdbx v3.x only).
The newer kdbx v4 databases have a number of significant changes in supported algorithms and structure of binary data. Here is a summary of the important changes in the spec:
support for argon2 key derivation
kdbx v3.x supports AES-KDF only. v4 supports both and defaults to argon2
key derivation information has been moved
transform seed and transform rounds header items have been deprecated
a new dynamically sized header item with id 11 has been defined
stream information for salsa20/chacha20 has been moved
a new dynamically sized binary "inner header" has been defined, immediately preceeding the XML data
are inner stream key and inner stream id deprecated now? spec didn't say yes
payload block decryption now uses HMAC-SHA256 instead of just SHA256
header hash has been moved
<HeaderHash> in the decrypted XML has been deprecated
a 32 byte SHA256 hash of the header immediately follows the header
a 32 byte HMAC-SHA256 hash immediately follows the previous SHA256 hash.
this hash is calculated like so:
It seems like there is some confusion in the codebase over v3 vs v4 databases. From what I can tell, libkeepass supports KeePass 1.x databases (.kdb) and a subset of KeePass 2.x datbases (.kdbx v3.x only).
The newer kdbx v4 databases have a number of significant changes in supported algorithms and structure of binary data. Here is a summary of the important changes in the spec:
support for argon2 key derivation
kdbx v3.x supports AES-KDF only. v4 supports both and defaults to argon2
key derivation information has been moved
transform seed
andtransform rounds
header items have been deprecatedstream information for salsa20/chacha20 has been moved
areyesinner stream key
andinner stream id
deprecated now? spec didn't saypayload block decryption now uses HMAC-SHA256 instead of just SHA256
header hash has been moved
<HeaderHash>
in the decrypted XML has been deprecatedthis hash is calculated like so:
new
CustomData
field on Entries and GroupsI've been working on some code that demonstrates decrypting kdbx v3 and kdbx v4 in a step-by-step fashion.
The text was updated successfully, but these errors were encountered: