OffPass/offpass-tech
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2 Commits 1 Branch 0 Tags
26fded0c41848a8fc23dbc43dbb5d8d75e4a2127
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Mondei1 26fded0c41 Add Schema and Encryption
2020-06-23 14:03:44 +02:00
encrypted_example.txt
Add Schema and Encryption
2020-06-23 14:03:44 +02:00
encrypted_example.txt.enc
Add Schema and Encryption
2020-06-23 14:03:44 +02:00
LICENSE
Initial commit
2020-06-23 12:43:43 +02:00
README.md
Add Schema and Encryption
2020-06-23 14:03:44 +02:00
Schema and Encryption.md
Add Schema and Encryption
2020-06-23 14:03:44 +02:00

README.md

Developer notes

Programming language: TypeScript

Framework: Electron (latest)

Encryption

OffPass uses AES-256 CBC as encrpytion.

Passphrase

The passphrase is the actual key which is used for encrpytion. But we don't use your entered master password directly. We hash it with Argon2i about 25 times. This gives use an output like this: 29dbf5392f13f36d7e9509b1a5c9add0d6a8e2625b5e84ab4d1df8da6063625d.

This value will be used as passphrase, not your plain password. The creation of this hash takes about more then one second.

Attackers are using password dictionaries with more then one million passwords. Creating such a hash for each password in there would take millions of years.

QR-Code schema

Plain

op1:hoprfoqtejndeccf:YhSRA+nTiZxNfxUIhiJBSsPLTkACMRkbPbLtVbtUnGh3AKJkvQfXWitSUWNq83YjSuKqK64SbB+DygCPxkx6sJ9U0FsO3Waqb3tYn0JRQdEak9INiWx06WQeLsTQcoG2pibOhOZlyiHtZmBj+Ul//lIdYRnmdRgsxYlcYOthiIY=

An OffPass QR-Code must follow this data schema or else OffPass wouldn't be able to read it. The following examples are data after decryption.

name|username|password|email|website_url|(custom1)data1|(custom2)data2

Als Beispiel:

Main Steam Account|mondei1|super_secret_example123|info@example.de|https://store.steampowered.com/login/|(2fa_backup)R1337

ProtonMail||mail_pw123|klier.nicolas@protonmail.com||

These characters are reserved and cannot be used for any fields: |%§

Compression

It is possible to compress QR-Codes. Instead of writing all data to the QR-Code you can write random strings (= key) to it. OffPass itself holds a database of those random strings and the corresponding encrypted value.

The program generates a session key (length of 10 characters) which is unique for each QR-Code. This session key is stored on the QR-Code and is used to encrypt the raw values in database. So not even If someone stells your database he wouldn't be able to read your compressed strings.

The compression key is stored like that: §key, the decryption key is stored like that: %decryption_key% always at the beginning.

For example:

%session_key%§xa|mondei1|passwords_not2134|email_too@example.com|§q|(§a)§gh|(uncompressed)value

-> Google|mondei1|passwords_not2134|email_either@example.com|https://accounts.google.com|(2fa_backup)245131,...|(uncompressed)value

This can has two advantages:

  • An attacker can't read compressed values If he is able to decrypt one QR-Code (he would need the database)
  • You can get more data on one QR-Code

But one disadvantage:

  • If you lose access to the compression database, you also lose access to those compressed values. But not to your password.

Type mark

OffPass will first look if the scanned QR-Code is actually an OffPass QR-Code. This is done by checking the first three charcters:

op1:jA0ECQMC+t514sews8e70jsBw4SWsYYgPGzi5Ps0OGr8/tVGngopmHDQpSpMkNtkWZU573zNsFykVVN3elnAY0D+EIIzTpKxq0F3fQ==

This op1: tells the program that this is actully a OffPass QR-Code and which version. If this is not present, OffPass will abort further steps and notify the user that this is not an OffPass QR-Code.

Description
This repository contains plans and technical resources on how Offpass works.
Readme 32 KiB