110 likes | 251 Views
Internet password database. Javascript encryption for privacy and security in cloud computing. http://passwordcrypt.org. Why do we need this product. A total mess with all the needed passwords in the world today We use the same password for many things - not secure
E N D
Internet password database Javascript encryption for privacy and security in cloud computing http://passwordcrypt.org
Why do we need this product • A total mess with all the needed passwords in the world today • We use the same password for many things - not secure • Desktop solutions is limited. Bound to a specific computer or we have to carry something around with the risk of dropping it somewhere • OpenID is too complicated, not very used and in some ways not really private • OpenID is not the solution for all needs (online bank passwords for instance) • Import/export is needed for a complete online password system • Really secure, open, easy and private system as a flexible solution the users can trust
Why did I develop it • Needed the system myself • Interest in encryption (Blowfish, Elliptic curves implementations) • Learn more about internet security, HTML, CSS and Javascript • Something to do in my spare time (not directly company related as I mostly handle administration and sale now) • Promote security and privacy
Considerations during development • Client encryption (trust in the system) • Why e-mail address is needed for an account • Verification of user • Send information • Avoid criminal use (send the signal) • Ease of use • Portability between browsers • Smartphones • Import/export with Javascript
Technical description - 1 As much as possible is based on client side Javascript for easy implementation and portability. Very limited logic on the server side JSON RPC used as the protocol between client and server The user name is encryted with the password by AES to a 256 bit user identifier. When an account is created the server side makes a random salt value and store it in the user table. Login creates a random session identifier on the server side that can be asked for when needed. The session identifier is not stored on the client side. Also used to validate if a user is logged in. The session identifier is used on the client side to encrypt the password and store it in the window/tab (sessionStorage or top.name)
Technical description -2 Everytime it is needed to encrypt or decrypt some data the system will ask the server for the session identifier based on the user identifier, decrypt the stored password, mix the password with the salt and then decrypt or encrypt the needed text. function encryptstring(sessioncrypt, saltcrypt, text){ var cryptkey = getcryptkey(sessioncrypt); if(cryptkey === false) return false; cryptkey = Sha256.hash(cryptkey + saltcrypt); return Aes.Ctr.encrypt(text, cryptkey, 256);}
Security • AES and SHA256 algorithm standards • Brute force attacks - special table with log of all error logins (force delay) • SQL injections - escape all quote strings • Cross-site scripting - all user input is tested for special tags • Other (DDoS) • Implementation mistakes is the highest risk as always
Why GPL • Trust in the system • Find a possible weakness rapidly • Why back-end is not under GPL • Mostly GUI and database • Like to end up with Javascript API library
Future • GPS enabled smartphones - find the correct password based on location • SQL storage - when supported by more browsers • Automatic login - gateway • OpenID integration • OpenID replacement - make a special Javascript library to create and test login • Documentation • Cloud computing - security and privacy - Open Source advantage
Support from Chris Veness for AES, SHA256 library and some changes needed Douglas Crockford for json2 library Steven Levithan for Date Format library Peter Johnson for CSV library John Resig and others for jquery library and plugins Phpjs.org for various functions IN2FOCUS for design