Two-Channel Auto-Type Obfuscation Description of the Two-Channel Auto-Type Obfuscation feature in KeePass 2.x.

• Information for Users:
  • Introduction: What is Two-Channel Auto-Type Obfuscation?
  • When can Two-Channel Auto-Type Obfuscation be used?
  • How to enable / configure Two-Channel Auto-Type Obfuscation?
• Technical Information:
  • Technical Overview
  • Intelligently Splitting the Text
  • Splitting the Secrets

Introduction: What is Two-Channel Auto-Type Obfuscation?

The Auto-Type feature of KeePass is very powerful: it sends simulated keypresses to other applications. This works with all Windows applications and for the target applications it's not possible to distinguish between real keypresses and the ones simulated by Auto-Type. This at the same time is the main disadvantage of Auto-Type, because keyloggers can eavesdrop the simulated keys. That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.

TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl+V presses, but do not log the actual contents pasted from the clipboard.

Clipboard spies don't work either, because only parts of the sensitive information is transferred on this way.

Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type.

When can Two-Channel Auto-Type Obfuscation be used?

TCATO cannot be used with all windows. The target window(s) must support clipboard operations and navigation within edit controls using arrow keys. Additionally, the target user interface must not contain automation features like jumping focus when maximum length of a text box is reached (as seen in registration number dialogs for example).

Rules of thumb:

• Can be used in:
  • Browsers.
  • Windows programs with standard text boxes.
• Can not be used in:
  • Console-based applications (interactive terminals, ...).
  • Games.

Because it doesn't work with all windows, it's an opt-in feature for each entry. You have to enable it explicitly on the 'Auto-Type' tab page in the 'Edit Entry' dialog.

How to enable / configure Two-Channel Auto-Type Obfuscation?

All you need to do is to tick the checkbox "Two-channel auto-type obfuscation" of an entry ('Auto-Type' tab page of the entry editing window); KeePass will do the rest.

Technical Overview

Instead of simply sending simulated keypresses to the target application (as normal auto-type does), obfuscated auto-type does the following:

• Back up the current clipboard contents.
• Intelligently split the text into parts.
• For each part: check if the clipboard can be used.
  • If yes: Split it into two subparts (character-wise, like two flat intertwining combs). Copy/paste the first part, merge the rest by sending keypresses.
  • If no: Send it normally using simulated keypresses.
• Restore previous clipboard contents.

These steps are described in detail below.

Intelligently Splitting the Text

The text to be sent must first be split intelligently. Not all parts of the string can be sent using the clipboard: special key codes and key modifiers must be passed unchanged to the SendInput function. For an example, have a look at the following string:

[email protected]{TAB}MyTopSecretPassword{TAB} {TAB}{ENTER}

This is an example of a typical string sent by KeePass to another application. First it types the user's email address, then a Tab, then the password, a Tab, toggles a checkbox, another Tab and finally presses the Enter key. This sequence can be split into the following parts:

[email protected]
{TAB}
MyTopSecretPassword
{TAB}
' ' (space)
{TAB}
{ENTER}

For each line, it is checked if the clipboard can be used. If the line contains a '{', '}', '(', ')', '+', '^', '%' or whitespace (space), it can only be sent by the SendInput function directly. For example, '+' presses the Shift key, it should not be copy/pasted as '+' character. Spaces cannot be copy/pasted either, because they are usually used to toggle checkboxes.

In the example above, "[email protected]" and "MyTopSecretPassword" can be sent using the clipboard.

Splitting the Secrets

Let's transfer "[email protected]" to the target application using TCATO.

First, the secret string "[email protected]" is randomly split character-wise into two parts like two flat intertwining combs:

 y  il m   o  d  .c
m ma  @ ypr vi er  om

The first string "yilmod.c" is now copied to the clipboard. The string to be sent by the SendInput function is now assembled as follows:

• Begin with pasting from the clipboard: ^v.
• Press the ← key n times, with n = length of the clipboard string.
• Send the remaining characters and press the → key to skip the ones that were already pasted from the clipboard.

In our example above, the key sequence would be assembled to:

^v{LEFT 8}m{RIGHT}ma{RIGHT}{RIGHT}@{RIGHT}ypr{RIGHT}vi{RIGHT}er{RIGHT}{RIGHT}om

This will first paste the clipboard contents, go to its start and fill in the remaining characters, building up the original string "[email protected]".

The time in which the first string part remains in the clipboard is minimal. It is copied to the clipboard, pasted into the target application and immediately cleared. This process usually takes only a few milliseconds at maximum.

More about secret string splitting:
In the above example, the string "[email protected]" was split and sent. If the string would be split differently each time, a malicious application could reassemble the string by capturing multiple auto-types and combining them. In order to prevent this, KeePass initializes the random number generator for splitting based on a hash of the string. This means that each string is split differently, but the partitions of a string are uniquely determined. So, by invoking auto-type multiple times, an attacker cannot reassemble the original string, because he always captures the same half part.