Kaspersky Password Manager Revealed to Be Cryptographically Flawed

Too much is not always a good thing - a lesson that developers of the Kaspersky Password Manager had to learn the hard way. The overly complex method with unsuitable PRNG, that did not follow cryptography’s best practices, generated easily bruteforced passwords.

30 July 2021

After almost two years, Ledger Donjon security researcher Jean-Baptiste Bédrune finally goes public about several problems they discovered regarding the password generator included in Kaspersky Password Manager(KPM). The most critical one being the flawed PRNG – Pseudo Random Number Generation – which unwisely used the current time as its only source of entropy. 

We will go through the main points of his detailed technical article to summarize what went wrong and why is it so important to not disregard well-established CPRNG – Cryptographically Secure Pseudo Random Number Generation – when it comes to key or password generation.

A clever idea turned sour

One of the first potential weaknesses of KPM that Bédrune mentions in his article is the subversion of an algorithmic bias that was probably created to trick common password cracking tools.

“Kaspersky Password Manager used a complex method to generate its passwords. This method aimed to create passwords hard to break for standard password crackers.” 

In order to do that they used a technique where letters and combinations of letters that are not often used in human-created passwords appear more frequently.

“Their password cracking method relies on the fact that there are probably ‘e’ and ‘a’ in a password created by a human than ‘x’ or ‘j’, or that the bigrams ‘th’ and ‘he’ will appear much more often than ‘qx’ or ‘zr’,” Bédrune explains.

The obvious downside of this approach is the fact that the application becomes predictable, and the well-intended bias can be exploited.  

“If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password,” researcher states.

However, by itself this weakness is not critical, and research concluded that it would resist against the standard tools if the password is long enough – a length of the password is a feature that KPM allows users to change.  The main problem arose when Ledger examined KPM’s PRNG.

Time as the source of entropy

Registered as CVE-2020-27020, the vulnerability states that “the password generator feature in KPM was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords if they knew some additional information,” more specifically – the time of its creation.  

The cryptographic flaw was caused by the use of the Mersenne Twister PRNG on the desktop and Math.random() function on the web version of the application, neither of which are suitable for generating cryptographically secure material, as research shows:

  • The seed is just 32 bits, which means that it can be bruteforced easily.
  • An instance of the PRNG is created every time a password is generated, therefore KPM can generate at most 232 passwords for a given charset.

Simply put, “it means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Bédrune said.

The issue could be easily discovered, however, because the program has an animation during password creation, which takes longer than the mentioned second, it was not.

“The consequences are obviously bad: every password could be bruteforced. For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes,” states the researcher.

Conclusion

On April 27, Kaspersky published a security advisory according to which “all public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation,” which officially ends this two years long struggle. 

If you are interested in finding out more and maybe do some testing of your own, we definitely recommend checking Ledger’s article, which also provides their proof of concept to get you started.