OffPass/offpass-tech
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add Schema and Encryption

Browse Source
This commit is contained in:
Nicolas Klier
2020-06-23 14:03:44 +02:00
parent 0a244fc04b
commit 26fded0c41
4 changed files with 140 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
Schema and Encryption.md Normal file
View File

@@ -0,0 +1,78 @@
# Schema and Encryption
This document explains how the schema on the QR-Code is built and how it's encrypted.
## Encryption
OffPass uses **AES-256 CBC** as encrpytion. The key is calculated by the **Argon2id** hash algorithm.
### Passphrase
The passphrase is the actual key which is used for encrpytion. But we don't use your entered master password directly.
We hash it with `Argon2i` about 25 times. This gives use an output like this: `29dbf5392f13f36d7e9509b1a5c9add0d6a8e2625b5e84ab4d1df8da6063625d`.
This value will be used as encryption key, not your plain password.
The creation of such a hash takes about **more then one second**.
Attackers are using password dictionaries with millions of passwords.
Creating such a hash for each password in there would take **forever**.
## QR-Code schema
### Plain
```txt
Type_Indicator:IV:Salt:Encrypted_Content
Example:
op1:jI49Az0M1337leet:uZNqq901:YhSRA+nTiZxNfxUIhiJBSsPLTkACMRkbPbLtVbtUnGh3AKJkvQfXWitSUWNq83YjSuKqK64SbB+DygCPxkx6sJ9U0FsO3Waqb3tYn0JRQdEak9INiWx06WQeLsTQcoG2pibOhOZlyiHtZmBj+Ul//lIdYRnmdRgsxYlcYOthiIY=
```
An OffPass QR-Code must follow this data schema or else OffPass wouldn't be able to read it.
**The following examples shows data after decryption.**
```txt
title|username|password|email|website_url|(custom1)data1|(custom2)data2
```
Two examples:
```txt
Main Steam Account|mondei1|super_secret_example123|info@example.de|https://store.steampowered.com/login/|(2fa_backup)R1337
ProtonMail||mail_pw123|klier.nicolas@protonmail.com||
```
### Compression
It is possible to compress QR-Codes. Instead of writing all data to the QR-Code you can write random strings (=key) to it.
OffPass itself holds a database of those random strings and the corresponding encrypted value.
The program generates a `session key` (fixed length of 10 characters) which is unique for each QR-Code.
This session key is stored on inside the encrypted data field and is used to decrypt the raw values in database.
**Not even If someone stells your database he wouldn't be able to read your compressed strings.**
The compression key is stored like that: `§key`, the decryption key is stored like that: `%decryption_key%` always at the beginning.
Please keep in mind that OffPass prevents you from compressing your title, password and username in case you lose
access to your compression database.
Eexample:
```txt
%session_key%§xa|mondei1|passwords_not2134|email_too@example.com|§q|(§a)§gh|(uncompressed)value
-> %uI5Np98jAz%Google|mondei1|passwords_not2134|email_either@example.com|https://accounts.google.com|(2fa_backup)245131,...|(uncompressed)value
```
This can has two advantages:
* An attacker can't read compressed values If he is able to decrypt a QR-Code (he would need the database)
* You can get more data on one QR-Code
But one disadvantage:
* **If you lose access to the compression database, you also lose access to those compressed values. But not to your password.**
### Reserved characters
These characters are reserved and cannot be used in any fields: `|%§`
### Type indicator
OffPass will first look if the scanned QR-Code is actually an OffPass QR-Code. This is done by checking the first three charcters:
```txt
op1:...
```
This `op1:` tells the program that this is actully a OffPass QR-Code and which version. If this is not present, OffPass will abort further steps and notify the user that this is not an OffPass QR-Code.