OffPass/offpass-tech
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add Schema and Encryption

Browse Source
This commit is contained in:
Nicolas Klier
2020-06-23 14:03:44 +02:00
parent 0a244fc04b
commit 26fded0c41
4 changed files with 140 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
README.md
View File

@@ -1,3 +1,61 @@
# offpass-tech # Developer notes
**Programming language:** TypeScript
This repository contains plans and technical resources on how Offpass works. **Framework:** Electron (latest)
## Encryption
OffPass uses **AES-256 CBC** as encrpytion.
### Passphrase
The passphrase is the actual key which is used for encrpytion. But we don't use your entered master password directly. We hash it with `Argon2i` about 25 times. This gives use an output like this: `29dbf5392f13f36d7e9509b1a5c9add0d6a8e2625b5e84ab4d1df8da6063625d`.
This value will be used as passphrase, not your plain password. The creation of this hash takes about **more then one second**.
Attackers are using password dictionaries with more then one million passwords. Creating such a hash for each password in there would take **millions of years**.
## QR-Code schema
### Plain
```
op1:hoprfoqtejndeccf:YhSRA+nTiZxNfxUIhiJBSsPLTkACMRkbPbLtVbtUnGh3AKJkvQfXWitSUWNq83YjSuKqK64SbB+DygCPxkx6sJ9U0FsO3Waqb3tYn0JRQdEak9INiWx06WQeLsTQcoG2pibOhOZlyiHtZmBj+Ul//lIdYRnmdRgsxYlcYOthiIY=
```
An OffPass QR-Code must follow this data schema or else OffPass wouldn't be able to read it. **The following examples are data after decryption.**
```
name|username|password|email|website_url|(custom1)data1|(custom2)data2
```
Als Beispiel:
```
Main Steam Account|mondei1|super_secret_example123|info@example.de|https://store.steampowered.com/login/|(2fa_backup)R1337
ProtonMail||mail_pw123|klier.nicolas@protonmail.com||
```
These characters are reserved and cannot be used for any fields: `|%§`
### Compression
It is possible to compress QR-Codes. Instead of writing all data to the QR-Code you can write random strings (= key) to it. OffPass itself holds a database of those random strings and the corresponding encrypted value.
The program generates a `session key` (length of 10 characters) which is unique for each QR-Code. This session key is stored on the QR-Code and is used to encrypt the raw values in database. So not even If someone stells your database he wouldn't be able to read your compressed strings.
The compression key is stored like that: `§key`, the decryption key is stored like that: `%decryption_key%` always at the beginning.
For example:
```
%session_key%§xa|mondei1|passwords_not2134|email_too@example.com|§q|(§a)§gh|(uncompressed)value
-> Google|mondei1|passwords_not2134|email_either@example.com|https://accounts.google.com|(2fa_backup)245131,...|(uncompressed)value
```
This can has two advantages:
* An attacker can't read compressed values If he is able to decrypt one QR-Code (he would need the database)
* You can get more data on one QR-Code
But one disadvantage:
* **If you lose access to the compression database, you also lose access to those compressed values. But not to your password.**
### Type mark
OffPass will first look if the scanned QR-Code is actually an OffPass QR-Code. This is done by checking the first three charcters:
```
op1:jA0ECQMC+t514sews8e70jsBw4SWsYYgPGzi5Ps0OGr8/tVGngopmHDQpSpMkNtkWZU573zNsFykVVN3elnAY0D+EIIzTpKxq0F3fQ==
```
This `op1:` tells the program that this is actully a OffPass QR-Code and which version. If this is not present, OffPass will abort further steps and notify the user that this is not an OffPass QR-Code.

78
Schema and Encryption.md Normal file
View File

@@ -0,0 +1,78 @@
# Schema and Encryption
This document explains how the schema on the QR-Code is built and how it's encrypted.
## Encryption
OffPass uses **AES-256 CBC** as encrpytion. The key is calculated by the **Argon2id** hash algorithm.
### Passphrase
The passphrase is the actual key which is used for encrpytion. But we don't use your entered master password directly.
We hash it with `Argon2i` about 25 times. This gives use an output like this: `29dbf5392f13f36d7e9509b1a5c9add0d6a8e2625b5e84ab4d1df8da6063625d`.
This value will be used as encryption key, not your plain password.
The creation of such a hash takes about **more then one second**.
Attackers are using password dictionaries with millions of passwords.
Creating such a hash for each password in there would take **forever**.
## QR-Code schema
### Plain
```txt
Type_Indicator:IV:Salt:Encrypted_Content
Example:
op1:jI49Az0M1337leet:uZNqq901:YhSRA+nTiZxNfxUIhiJBSsPLTkACMRkbPbLtVbtUnGh3AKJkvQfXWitSUWNq83YjSuKqK64SbB+DygCPxkx6sJ9U0FsO3Waqb3tYn0JRQdEak9INiWx06WQeLsTQcoG2pibOhOZlyiHtZmBj+Ul//lIdYRnmdRgsxYlcYOthiIY=
```
An OffPass QR-Code must follow this data schema or else OffPass wouldn't be able to read it.
**The following examples shows data after decryption.**
```txt
title|username|password|email|website_url|(custom1)data1|(custom2)data2
```
Two examples:
```txt
Main Steam Account|mondei1|super_secret_example123|info@example.de|https://store.steampowered.com/login/|(2fa_backup)R1337
ProtonMail||mail_pw123|klier.nicolas@protonmail.com||
```
### Compression
It is possible to compress QR-Codes. Instead of writing all data to the QR-Code you can write random strings (=key) to it.
OffPass itself holds a database of those random strings and the corresponding encrypted value.
The program generates a `session key` (fixed length of 10 characters) which is unique for each QR-Code.
This session key is stored on inside the encrypted data field and is used to decrypt the raw values in database.
**Not even If someone stells your database he wouldn't be able to read your compressed strings.**
The compression key is stored like that: `§key`, the decryption key is stored like that: `%decryption_key%` always at the beginning.
Please keep in mind that OffPass prevents you from compressing your title, password and username in case you lose
access to your compression database.
Eexample:
```txt
%session_key%§xa|mondei1|passwords_not2134|email_too@example.com|§q|(§a)§gh|(uncompressed)value
-> %uI5Np98jAz%Google|mondei1|passwords_not2134|email_either@example.com|https://accounts.google.com|(2fa_backup)245131,...|(uncompressed)value
```
This can has two advantages:
* An attacker can't read compressed values If he is able to decrypt a QR-Code (he would need the database)
* You can get more data on one QR-Code
But one disadvantage:
* **If you lose access to the compression database, you also lose access to those compressed values. But not to your password.**
### Reserved characters
These characters are reserved and cannot be used in any fields: `|%§`
### Type indicator
OffPass will first look if the scanned QR-Code is actually an OffPass QR-Code. This is done by checking the first three charcters:
```txt
op1:...
```
This `op1:` tells the program that this is actully a OffPass QR-Code and which version. If this is not present, OffPass will abort further steps and notify the user that this is not an OffPass QR-Code.

1
encrypted_example.txt Normal file
View File

@@ -0,0 +1 @@
Gitea|Nicolas|542superGoOD_pW&|klier.nicolas@protonmail.com|https://nicolasklier.de:3000|(Q1)What's your favorite series|(A1)Rick and morty|(2fa)otpauth://totp/OffPass%20Test?secret=d34gfkki5dkd5knifysrpgndd5xb2c7eddwki7ya4pvoisfa5c3ko5pv&issuer=Nicolas%20Klier

1
encrypted_example.txt.enc Normal file
View File

@@ -0,0 +1 @@
Salted__CX<06>1<<3C>E<EFBFBD>Q}@<17><>'<27><05>n<EFBFBD>mMGmv<6D><76><EFBFBD>T<EFBFBD>0<1B><>j<EFBFBD><6A><EFBFBD><EFBFBD>TK<54>z\F<><13> R<0E>_<EFBFBD>3I<>J<EFBFBD>w<0E><13><>w<EFBFBD>.R<><52><17><><EFBFBD>3R.<2E><>Z<EFBFBD>W0\<5C>Di6Vb<56><62><EFBFBD>j/<1F>W<EFBFBD><57><EFBFBD>:<3A>6<EFBFBD><36>m