Imgflip Logo Icon

its honestly better when you actually understand it

its honestly better when you actually understand it | I'M READING DASHLANE'S SECURITY WHITEPAPER; AND FOR SOME REASON IT'S INTERESTING | image tagged in tabs stare | made w/ Imgflip meme maker
124 views 3 upvotes Made by Capto. 4 years ago in MS_memer_group
tabs stare
TABS Stare memeCaption this Meme
9 Comments
The-Auditor..
1 up, 4y
GM Capto
[deleted]
1 up, 4y,
1 reply
Live Sanford reaction | image tagged in live sanford reaction | made w/ Imgflip meme maker
Capto.
0 ups, 4y,
1 reply
[deleted]
1 up, 4y,
1 reply
Crying auditor cat | image tagged in crying auditor cat | made w/ Imgflip meme maker
Capto.
0 ups, 4y,
1 reply
1 General Security Principles
1.1 Protection of User Data in Dashlane
Protection of user data in Dashlane relies on 4 separate secrets:
• The User Master Password:
▷ It is never stored on Dashlane servers, nor are any of its derivatives (including
hashes).
▷ By default, it is not stored locally on disk on any of the user’s devices; we
simply use it to (de)crypt the local files containing the user data.
▷ It is stored locally upon user request when enabling the feature ‘‘Remember
my Master Password”.
▷ In addition, we ensure that the user’s Master Password is never transmitted
over the internet [1]
.
[1] The only derivatives of it that is
sent over Internet is the final encrypted vault, see in the next paragraphs how we ensure its resilience to
attacks. • In some cases (local storage), we use an Intermediate Key (random 32-byte) encrypted with the derived Master Password.
• A unique User Device Key for each device enabled by a user:
▷ Auto generated for each device.
▷ Used for authentication.
• A Local Secret Key generated locally used to secure communication between the
Dashlane application and the browser plugins. The key is exchanged using local
visual pairing (and Diffie-Hellman) when needed.
1.2 Local Access to User Data
Access to the user’s data requires using the User Master Password which is only
known by the user. It is used to generate the symmetric Advanced Encryption Standard (AES) 256-bit key for encryption and decryption of the user’s personal data on
the user’s device.
We useWebcrypto API for most browser based cryptography and the native libraries
for IOS and Android.
On Windows and MacOS, the user’s data encryption and decryption is performed
using OpenSSL:
• A 32-byte salt is generated using the OpenSSLRAND_bytes function for the desktop apps (encrypting) or reading it from the AES file (decrypting).
• The User Master Password is used, with the salt, to generate the AES 256-bit
key that will be used for (en|de)cryption. We use Argon2d, by default, with the
following parameters: iterations = 3, memory = 32Mo, parallelization = 2. We also
support PBKDF2-SHA2 with 200,000 iterations.
• The 16-byte initialization vector is chosen randomly.
• Then, the data is (en|de)crypted using AES CBC-HMAC mode.
• When encrypting, the salt and the Initialization Vector (IV) are written in the AES
file.
1 GENERAL SECURITY PRINCIPLES Page 4
Dashlane - Security White Paper March 2021
1.3 Local Data Usage After decrypting
Once the user has input their Master Pa
[deleted]
1 up, 4y,
1 reply
Live Sanford reaction | image tagged in live sanford reaction | made w/ Imgflip meme maker
Capto.
0 ups, 4y,
1 reply
When a user creates an account on a website for the very first time, the user’s password is hashed and stored in an internal file system in an encrypted form. When the user logs in to the website subsequently, the password hash entered by the user is matched against the password hash stored in the internal system. If the hash matches, the user is granted access. If the hash verification fails, the user is prevented from logging into the website.

Since these hash tables are designed to be fast but not necessarily secure, any hacker can use varied tools available on the internet to recover passwords from these plain hashes swiftly. Currently, there exists many varied ways to crack password hashes – namely, dictionary attacks, brute force attacks, lookup tables, reverse lookup tables, and rainbow tables. In a backend system, plain hashed passwords would appear as follows –

hash (“letmein”) = 0xf73bo1230k35n72nj523dtg9l4n2k6n24nv7i73gf36hf4ow9d4k4c2nm6m
hash (“12345678”) = 4h5g2c9d0a34lk1k3n0sd8sdl4h54nm9g76dsj3n5ksb38j5ls93md0l3hz9d2
hash (“baseball”) = 3n52k5kcn5kv9cma83ja83d430dm9c83m6n20cj67gb7ksnf8dgsmg056vm
hash (“letmein”) = 0xf73bo1230k35n72nj523dtg9l4n2k6n24nv7i73gf36hf4ow9d4k4c2nm6m

All the above mentioned mechanisms to crack a hash are possible because each time a plaintext string is hashed, it generates the exact same hashed value. For example, if an attacker hashes the value “letmein” it will generate the same value as the one stored in the backend system for another user with the password “letmein”. Attackers use pre-computed tables generated by powerful computers that enter all possible values into a hashing algorithm. These tables can also be purchased. Using these tables, an attacker can cross reference a stolen hashed value (such as a password) and perform a reverse lookup to determine the original value.
The-Auditor..
1 up, 4y
Evil_KitK0T
1 up, 4y
GM
TABS Stare memeCaption this Meme
Created with the Imgflip Meme Generator
IMAGE DESCRIPTION:
I'M READING DASHLANE'S SECURITY WHITEPAPER; AND FOR SOME REASON IT'S INTERESTING