OffPass/offpass-tech
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
master
offpass-tech/Schema and Encryption.md

3.9 KiB
Raw Permalink Blame History

Schema and Encryption

This document explains how the schema on the QR-Code is built and how it's encrypted.

Encryption

OffPass uses AES-256 CBC as encrpytion. The key is calculated by the Argon2id hash algorithm.

Passphrase

The passphrase is the actual key which is used for encrpytion. But we don't use your entered master password directly. We append a salt, which is a random sequence of characters, to your passphrase and then we hash it with Argon2i about 25 times. This gives use an output like this: 29dbf5392f13f36d7e9509b1a5c9add0d6a8e2625b5e84ab4d1df8da6063625d.

This value will be used as encryption key, not your plain password. The creation of such a hash takes about more then one second.

Attackers are using password dictionaries with millions of passwords. Creating such a hash for each password in there would take forever.

QR-Code schema

Plain

Type_Indicator:IV:Salt:Encrypted_Content
Example:
op1:jI49Az0M1337leet:uZNqq901:YhSRA+nTiZxNfxUIhiJBSsPLTkACMRkbPbLtVbtUnGh3AKJkvQfXWitSUWNq83YjSuKqK64SbB+DygCPxkx6sJ9U0FsO3Waqb3tYn0JRQdEak9INiWx06WQeLsTQcoG2pibOhOZlyiHtZmBj+Ul//lIdYRnmdRgsxYlcYOthiIY=

An OffPass QR-Code must follow this data schema or else OffPass wouldn't be able to read it. The following examples shows data after decryption.

title|username|password|email|website_url|(custom1)data1|(custom2)data2

Two examples:

Main Steam Account|mondei1|super_secret_example123|info@example.de|https://store.steampowered.com/login/|(2fa_b)R1337|()Foo question%Bar awnser

ProtonMail||mail_pw123|klier.nicolas@protonmail.com||

Custom/Optional fields

You can either define your own custom fields or use optional fields, which OffPass treats differently. List of optional fields:

  • 2fa - Two factor authentication secret that starts like otpauth://totp/...
  • 2fa_b - Backup codes for two factor authentication
  • email_b - Backup email address
  • ()QUESTION%AWNSER - Security question with it's awnser. Content inside the brackets has to be empty!

Compression

It is possible to compress QR-Codes. Instead of writing all data to the QR-Code you can write random strings (=key) to it. OffPass itself holds a database of those random strings and the corresponding encrypted value.

The program generates a session key (fixed length of 10 characters) which is unique for each QR-Code. This session key is stored on inside the encrypted data field and is used to decrypt the raw values in database. Not even If someone stells your database he wouldn't be able to read your compressed strings.

The compression key is stored like that: §key, the decryption key is stored like that: %decryption_key% always at the beginning.

Please keep in mind that OffPass prevents you from compressing your title, password and username in case you lose access to your compression database.

Eexample:

%session_key%§xa|mondei1|passwords_not2134|email_too@example.com|§q|(§a)§gh|(uncompressed)value

-> %uI5Np98jAz%Google|mondei1|passwords_not2134|email_either@example.com|https://accounts.google.com|(2fa_backup)245131,...|(uncompressed)value

This can has two advantages:

  • An attacker can't read compressed values If he is able to decrypt a QR-Code (he would need the database)
  • You can get more data on one QR-Code

But one disadvantage:

  • If you lose access to the compression database, you also lose access to those compressed values. But not to your password.

Reserved characters

These characters are reserved and cannot be used in any fields: |%§

Type indicator

OffPass will first look if the scanned QR-Code is actually an OffPass QR-Code. This is done by checking the first three charcters:

op1:...

This op1: tells the program that this is actully a OffPass QR-Code and which version. If this is not present, OffPass will abort further steps and notify the user that this is not an OffPass QR-Code.