Wir sind hier um Ihnen zu helfen

Was Avira Password Manager Audited? What Encryption Algorithm is being used?

Kommentare

11 Kommentare

  • Avatar
    Toni Ruch

    Hi Nathan,

    Thanks a lot for your posting - those are very good questions! 

    Let me reach out to the team and get back to you with a more qualified answer.

    Best,
    Toni Ruch
    Avira Community Manager

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Nathan

    Hi Toni,

    Thank you very much! Looking forward to hearing from you soon!

     

    Best Regards,

    Nathan

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Toni Ruch

    Hello Nathan,

    as promised here’s what I could find out for you:

    Our Avira Password Manager has undergone penetration testing from third party companies for internal hardening of the application but there has been no publication of the results.
    The algorithm used to derive the key from the Master Password will be PBKDF2 with 10k iterations in the future. Currently, we’re using AES 256. The same applies to the encryption of the Master Password.

    Hope this helps and let me know if you have any further questions.

    Best,
    Toni Ruch
    Avira Community Manager

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Nathan

    Hi Toni,

    Thanks for the answer!

    May I know which third party auditing company audited the Avira Password Manager? 

    I would strongly recommend Avira to let its users know that it has been audited, as all the other password manager companies do!

    What do you mean by "will be" and "in the future"? Do you mean that this is not the current algorithm yet? 

    Also, is this Key stored on the server? If it's not, how does Avira Password Manager know that the correct Master Password is entered? In other words, how does the encryption and decryption work? Could you please clarify?

     

    Thank you very much!

    Best Regards,

    Nathan

     

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Toni Ruch

    Hello Nathan,

    I'm in discussion with the responsible team. As your questions are pretty specific I want to ensure I get the answer you deserve. 

    "Do you mean that this is not the current algorithm yet?"

    As I mentioned above, currently, we’re using AES 256. The same applies to the encryption of the Master Password.

    Best,
    Toni Ruch
    Avira Community Manager

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Nathan

    Hi Toni, 

    Thank you very much! Looking forward to your reply!

    Seems like Avira does treat its customers well! 😀 

     

    Best Regards,

    Nathan

    1
    Aktionen für Kommentare Permalink
  • Avatar
    Toni Ruch

    Hello Nathan,

    thanks for your suggestion to have the app run through an audit by a third party company - I've forwarded your idea to the product team.

    "Also, is this Key stored on the server? If it's not, how does Avira Password Manager know that the correct Master Password is entered? In other words, how does the encryption and decryption work? Could you please clarify?"

    Before your data is stored locally or in the cloud it is encrypted with an encryption key. This key is encrypted with the master password and its encrypted form is stored on the Avira server. When you open your Password Manager on another device the encrypted key is download from the server and with the correct master passworded it can be decrypted locally.

    Best,
    Toni Ruch
    Avira Community Manager

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Nathan

    Hi Toni, 

    Thank you very much for your kind help! 

    Did I get it right that the Encryption Key (which is used to encrypt the whole vault with AES-256) is the sha-256 PBKDF2 10,000 iterations of the Master Password? This Key is then encrypted with AES-256 (GCM or CBC or ECB?), using the plain Master Password as the key to decrypting the AES-256. When a new login happens, the encrypted data is downloaded to the device once it successfully enters into the Avira account and once it attempts to enter the Password Manager. Then the Master Password decrypts the Key from AES-256, and the Key decrypts all the other passwords from AES-256. Is all the information above accurate? 

     

    Thank you very much! Looking forward to your reply!

     

    Best Regards,

    Nathan

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Nathan

    Hi Toni,

    Any answers?

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Toni Ruch

    Hello Nathan,

    I gave you every information that we are willing to share publicly in this forum.
    Please understand that in order to protect our security systems and our customer's data we are not going into detail any further than that. 

    If you want to dig into technical details even further I recommend that you join the beta test for the Avira Password Manager. Here you have the possibility to talk directly to the PWM Team.

    Best,
    Toni Ruch
    Avira Community Manager

    0
    Aktionen für Kommentare Permalink
  • Avatar
    Nathan

    Hi Toni,

    Thank you very much for your kind help!

    Hopefully Avira Password Manager would be more transparent in the future and be able to stand up to the scrutiny of its customers! 

     

    Best Regards,

    Nathan

    0
    Aktionen für Kommentare Permalink

Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.