OffPass/offpass-tech
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
6099c81b9deb0b68083e3b1373f2b2f4adfbf02a
offpass-tech/README.md
Mondei1 26fded0c41 Add Schema and Encryption
2020-06-23 14:03:44 +02:00

61 lines
3.1 KiB
Markdown
Raw Blame History

# Developer notes
**Programming language:** TypeScript
**Framework:** Electron (latest)
## Encryption
OffPass uses **AES-256 CBC** as encrpytion.
### Passphrase
The passphrase is the actual key which is used for encrpytion. But we don't use your entered master password directly. We hash it with `Argon2i` about 25 times. This gives use an output like this: `29dbf5392f13f36d7e9509b1a5c9add0d6a8e2625b5e84ab4d1df8da6063625d`.
This value will be used as passphrase, not your plain password. The creation of this hash takes about **more then one second**.
Attackers are using password dictionaries with more then one million passwords. Creating such a hash for each password in there would take **millions of years**.
## QR-Code schema
### Plain
```
op1:hoprfoqtejndeccf:YhSRA+nTiZxNfxUIhiJBSsPLTkACMRkbPbLtVbtUnGh3AKJkvQfXWitSUWNq83YjSuKqK64SbB+DygCPxkx6sJ9U0FsO3Waqb3tYn0JRQdEak9INiWx06WQeLsTQcoG2pibOhOZlyiHtZmBj+Ul//lIdYRnmdRgsxYlcYOthiIY=
```
An OffPass QR-Code must follow this data schema or else OffPass wouldn't be able to read it. **The following examples are data after decryption.**
```
name|username|password|email|website_url|(custom1)data1|(custom2)data2
```
Als Beispiel:
```
Main Steam Account|mondei1|super_secret_example123|info@example.de|https://store.steampowered.com/login/|(2fa_backup)R1337
ProtonMail||mail_pw123|klier.nicolas@protonmail.com||
```
These characters are reserved and cannot be used for any fields: `|%§`
### Compression
It is possible to compress QR-Codes. Instead of writing all data to the QR-Code you can write random strings (= key) to it. OffPass itself holds a database of those random strings and the corresponding encrypted value.
The program generates a `session key` (length of 10 characters) which is unique for each QR-Code. This session key is stored on the QR-Code and is used to encrypt the raw values in database. So not even If someone stells your database he wouldn't be able to read your compressed strings.
The compression key is stored like that: `§key`, the decryption key is stored like that: `%decryption_key%` always at the beginning.
For example:
```
%session_key%§xa|mondei1|passwords_not2134|email_too@example.com|§q|(§a)§gh|(uncompressed)value
-> Google|mondei1|passwords_not2134|email_either@example.com|https://accounts.google.com|(2fa_backup)245131,...|(uncompressed)value
```
This can has two advantages:
* An attacker can't read compressed values If he is able to decrypt one QR-Code (he would need the database)
* You can get more data on one QR-Code
But one disadvantage:
* **If you lose access to the compression database, you also lose access to those compressed values. But not to your password.**
### Type mark
OffPass will first look if the scanned QR-Code is actually an OffPass QR-Code. This is done by checking the first three charcters:
```
op1:jA0ECQMC+t514sews8e70jsBw4SWsYYgPGzi5Ps0OGr8/tVGngopmHDQpSpMkNtkWZU573zNsFykVVN3elnAY0D+EIIzTpKxq0F3fQ==
```
This `op1:` tells the program that this is actully a OffPass QR-Code and which version. If this is not present, OffPass will abort further steps and notify the user that this is not an OffPass QR-Code.
Reference in New Issue View Git Blame Copy Permalink