KeePass   KeePass Help Center Home KeePass Home | Package Downloads | Flag Translations | Blocks Plugins | Donate Donate  
Home Help Center Home | People Forums | Award Awards | Link Links | Search Search  







Auto-Type Icon

Two-Channel Auto-Type Obfuscation


Description of the Two-Channel Auto-Type Obfuscation feature in KeePass 2.x.

Text  Introduction: What is Two-Channel Auto-Type Obfuscation?

The Auto-Type feature of KeePass is very powerful: it sends simulated keypresses to other applications. This works with all Windows applications and for the target applications it's not possible to distinguish between real keypresses and the ones simulated by Auto-Type. This at the same time is the main disadvantage of Auto-Type, because keyloggers can eavesdrop the simulated keys. That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.

TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl-V presses, but do not log the actual contents pasted from the clipboard.

Clipboard spies don't work either, because only parts of the sensitive information is transferred on this way.

Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type.


Text  When can Two-Channel Auto-Type Obfuscation be used?

TCATO cannot be used with all windows. The target window(s) must support clipboard operations and navigation within edit controls using arrow keys. Additionally, the target user interface must not contain automation features like jumping focus when maximum length of a text box is reached (as seen in registration number dialogs for example).

Rules of thumb:

  • Can be used in:
    • Browsers.
    • Windows programs with standard text boxes.
  • Can not be used in:
    • Console-based applications (interactive terminals, ...).
    • Games.

Because it doesn't work with all windows, it's an opt-in feature for each entry. You have to enable it explicitly on the 'Auto-Type' tab page in the 'Edit Entry' dialog.


Text  How to enable / configure Two-Channel Auto-Type Obfuscation?

All you need to do is to tick the checkbox "Two-channel auto-type obfuscation" of an entry ('Auto-Type' tab of the entry editing window); KeePass will do the rest.


Text  Technical Overview

Instead of simply sending simulated keypresses to the target application (as normal auto-type does), obfuscated auto-type does the following:

  • Enable clipboard event blocker.
  • Backup the current clipboard contents.
  • Intelligently split the text into parts.
  • For each part: check if the clipboard can be used.
    • If yes: Split it into two subparts (character-wise, like two flat intertwining combs). Copy/paste the first part, merge the rest by sending keypresses.
    • If no: Send it normally using simulated keypresses.
  • Restore previous clipboard contents.
  • Disable clipboard event blocker.

These steps are described in detail below.


Text  Clipboard Event Blocker

Because we are heavily using the clipboard, it is useful to block all current clipboard monitors. This means that no other applications will get notified when KeePass changes the clipboard.

For this, an invisible window is created and added to the top of the clipboard event handler chain. This window simply throws away all clipboard change messages it receives, practically blocking all other applications from receiving any events.


Text  Intelligently Splitting the Text

The text to be sent must first be split intelligently. Not all parts of the string can be sent using the clipboard: special key codes and key modifiers must be passed unchanged to the SendInput function. For an example, have a look at the following string:

mymail@myprovider.com{TAB}MyTopSecretPassword{TAB} {TAB}{ENTER}

This is an example of a typical string sent by KeePass to another application. First it types the user's email address, then a tab, then the password, a tab, toggles a checkbox, another tab and finally presses the enter key. This sequence can be split into the following parts:

mymail@myprovider.com
{TAB}
MyTopSecretPassword
{TAB}
' ' (space)
{TAB}
{ENTER}

For each line, it is checked if the clipboard can be used. If the line contains a '{', '}', '(', ')', '+', '^', '%' or whitespace (space), it can only be sent by the SendInput function directly. '+' for example presses the Shift key, it should not be copy/pasted as '+' character. Spaces can't be copy/pasted either, because they are usually used to toggle checkboxes.

In the example above, "mymail@myprovider.com" and "MyTopSecretPassword" can be sent using the clipboard.


Text  Splitting the Secrets

Let's transfer "mymail@myprovider.com" to the target application using the clipboard now. KeePass could simply copy it to the clipboard and send a Ctrl+V keypress to the target application, making it paste the clipboard contents. This would be perfectly secure against keyloggers because they only see the Ctrl+V keypress but not the actual contents pasted. But there's still a problem: a malicious application could monitor the clipboard based on time intervals (i.e. not using the events - we've blocked those). Although the duration of the complete copy/paste operation is only a few milliseconds, there's still a small chance that an attacker could get the data in the clipboard. Therefore, the secrets are split.

First, the secret string "mymail@myprovider.com" is randomly split character-wise into two parts like two flat intertwining combs:

 y  il m   o  d  .c
m ma  @ ypr vi er  om

The first string "yilmod.c" is now copied to the clipboard. The string to be sent by the SendInput function is now assembled as follows:

  • Begin with pasting from the clipboard: ^v.
  • Press the left arrow key n times, with n = length of the clipboard string.
  • Send the remaining characters and press the right arrow key to skip the ones that were already pasted from the clipboard.

In our example above, the key sequence would be assembled to:

^v{LEFT 8}m{RIGHT}ma{RIGHT}{RIGHT}@{RIGHT}ypr{RIGHT}vi{RIGHT}er{RIGHT}{RIGHT}om

This will first paste the clipboard contents, go to its start and fill in the remaining characters, building up the original string "mymail@myprovider.com".

The time in which the first string part remains in the clipboard is minimal. It is copied to the clipboard, pasted into the target application and immediately cleared. This process usually takes only a few milliseconds at maximum.

More about secret string splitting:
In the above example, the string "mymail@myprovider.com" was split and sent. If the string would be split differently each time, a malicious application could reassemble the string by capturing multiple auto-types and combining them. In order to prevent this, KeePass initializes the random number generator for splitting based on a hash of the string. This means that each string is split differently, but the partitions of a string are uniquely determined. So, by invoking auto-type multiple times, an attacker cannot reassemble the original string, because he always captures the same half part.









Valid XHTML 1.0 Transitional Document

Get KeePass

Flattr this


KeePass is OSI Certified Open Source Software
Copyright © 2003-2014
Dominik Reichl, [Legal Contact / Imprint] [Disclaimer] [Acknowledgements] [Donate], Downloads hosted at

Get KeePass Password Safe at
SourceForge.net. Fast, secure and Free Open Source software downloads