OffPass/offpass-desktop
Archived
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

+ Add some new concepts to DEVELOPMENT.md

Browse Source 
+ Add icon
This commit is contained in:
Nicolas Klier
2019-10-26 15:56:25 +02:00
parent 0fa86ee35c
commit c258d995cf
12 changed files with 117 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
DEVELOPMENT.md
View File

@@ -1,3 +1,57 @@
# Developer notes
**Programming language:** TypeScript
**Framework:** Electron (latest)
**Framework:** Electron (latest)
## Encryption
OffPass uses PGP in the background with symmetric encrpytion.
### Passphrase
The passphrase is the actual key which is used for encrpytion. But we don't use your entered master password directly. We hash it with `Argon2i` about 25 times. This gives use an output like this: `29dbf5392f13f36d7e9509b1a5c9add0d6a8e2625b5e84ab4d1df8da6063625d`.
This value will be used as passphrase, not your plain password. The creation of this hash takes about **more then one second**.
Attackers are using password dictionaries with more then one million passwords. Creating such a hash for each password in there would take **millions of years**.
## QR-Code schema
An OffPass QR-Code must follow this data schema or else OffPass wouldn't be able to read it. **The following examples are data after decryption.**
```
name|password|email|website_url|(custom1)data1|(custom2)data2
```
Als Beispiel:
```
Main Steam Account|super_secret_example123|info@example.de|https://store.steampowered.com/login/|(2fa_backup)R1337
ProtonMail|mail_pw123|klier.nicolas@protonmail.com||
```
These characters are reserved and cannot be used for any fields: `|%§`
### Compression
It is possible to compress QR-Codes. Instead of writing all data to the QR-Code you can write random strings (key) to it. OffPass itself holds a database of those random string and the corresponding encrypted value.
The program generates a `session key` (length of 10 characters) which is unique for each QR-Code. This session key is stored on the QR-Code and is used to encrypt the raw values in database. So not even If someone stells your database he wouldn't be able to read your compressed strings.
The compression key is stored like that: `§key`, the decryption key is stored like that: `%decryption_key%` always at the beginning.
For example:
```
%session_key%§xa|passwords_not2134|email_too@example.com|§q|(§a)§gh|(uncompressed)value
-> Google|passwords_not2134|email_either@example.com|https://accounts.google.com|(2fa_backup)245131,...|(uncompressed)value
```
This can has two advantages:
* An attacker can't read compressed values (he would need the database)
* You can get more data on one QR-Code
But one disadvantage:
* **If you lose access to the compression database, you also lose access to those compressed values. But not to your password.**
### Type mark
OffPass will first look if the scanned QR-Code is actually an OffPass QR-Code. This is done by checking the first three charcters:
```
op:jA0ECQMC+t514sews8e70jsBw4SWsYYgPGzi5Ps0OGr8/tVGngopmHDQpSpMkNtkWZU573zNsFyk VVN3elnAY0D+EIIzTpKxq0F3fQ==
```
This `op:` tells the program that this is actully a OffPass QR-Code. If this is not present, OffPass will abort further steps and notify the user that this is not an OffPass QR-Code.