Ensuring confidentiality. How does PassEv work and security scheme

by MacK 5/31/2008 1:12:00 PM

This week I have been thinking about how PassEv, the passwords sync utility I'm working on, should work to ensure the confidentiality of out data, where our data means our user / password combinations for the sites we usually work with. The local security (encrypting local data) is easily done by using a symmetric key algorithm. PassEv will use the master password (the only password you will have to remember once you start using the program) to encrypt the passwords store (or PassStore) using a symmetric key algorithm. But once we have the data encrypted, we want them to be sync'ed in all our computers. That is what PassEv if intended to do.

That means that the local copy of PassEv will have to send the encrypted PassStore to the PassEv.com server, and that other computers using PassEv will have to be able to retrieve the PassStore. Me, as user, should be able to get my PassStore and only my PassStore (not any other one). So we will need a user (the master user) to create an account in the PassEv.com server, so the different PassStores are linked to their owners. To retrieve the correct PassStore from the PassEv.com server, PassEv will have to send the master user / password combination. And here is where PassEv has to ensure confidentiality again. It cannot send the master user /password combination in clear text over the net without encrypting it, or anyone "hearing" our line will be able to decrypt our PassStore and obtain our saved passwords.

To encrypt, the PassEv program and the PassEv.com server must negotiate a password and encrypt all their communications using it. To achive this, I'll use a "shared session key" approach. The PassEv program will generate a random password each time it starts a session with the PassEv.com server. All the communications for that session will be encrypted using that key. To be able to transmit the session password to PassEv.com server without compromising it, the program will encrypt it by using a public key algorithm. That is, the PassEv.com server will generate a private / public key pair and the PassEv program will encrypt the "shared session key" negotiation with the public key. Only the PassEv.com server can decrypt that using its private key. Once this is done, we will have a secure way to send the PassStores over the http connection. When the sessions ends, the shared session key is forgotten and a new one will be used in a futher session, increasing security.

I have wrote a description of the PassEv security scheme here.

Questions? Doubts? Ideas? Suggestions? Just leave a comment!.

NOTE: PassEv is intended to be released on July the 1st

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags: ,

design

E-mail | Kick it! | DZone it! | del.icio.us | Bookmark and Share
Permalink | Comments (0) | Post RSSRSS comment feed

Introducing PassEv, the free passwords sync utility for Internet Explorer

by MacK 5/25/2008 7:20:00 AM

As a heavy Internet user, I have personal accounts on dozens of sites. For security reasons, I don't like to use the same password for them all, so I also have dozens of different passwords. As I also want to avoid using a common way of creating the passwords (so anyone knowing one of my password could find out the rest of them), this has lead me to a cloud of passwords in my head. Oftenly I am not able to remember the password for a particular site. I try and try and end clicking the "Forgotten password" link..... when it exists, because sometimes it doesn't and I have to create a new account. A pain.

I have the "remember passwords" feature enabled in Internet Explorer, but this only helps half of the times. If I use my laptop, or worst, the office's laptop, I'm lost. The passwods are only stored in my desktop computer. I don't want them in the office's laptop, as sometimes it's used by other people ,but I need the passwords  in all my computers, being sure that they are secured and that no one can get them but me.

This is why I have decided to start the PassEv project. PassEv stands for Passwords Everywhere and it's a small utility wh¡ch will store my passwords securely and synchronize them in all my computers. You can get a better description of the project in the PassEv description page. Currently the PassEv Sync utility is planned to be released on July. Do you think it could be useful for you? Stay tuned and keep an eye on this page.

Thank you for reading, and remember you can leave any questions as comments below.!

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

E-mail | Kick it! | DZone it! | del.icio.us | Bookmark and Share
Permalink | Comments (0) | Post RSSRSS comment feed

Powered by BlogEngine.NET 1.3.1.0
Theme by Mads Kristensen


Pages

Passev Awards

Passev's Freeware Shareware Center Excellent Software Award

Passev's Brothersoft.com Editor's Pick Award

Passev's Sofotex 5 Stars rating award

Passev's ProgramUrl.com 5 Stars rating award

Recent posts

Recent comments

Don't show

Archive

Authors

Tags

Categories


Blogroll

    Download OPML file OPML

    About the author

    Name of author MacK
    Passwords are everywhere around the web. You need one almost for each site you visit. Tired of forgetting my web passwords, I decided to create this utility, which synchronizes passwords in different computers using Internet Explorer. I hope you find it useful.

    E-mail me Send mail

    Disclaimer

    The opinions expressed in the articles are my own personal opinions. The ones expressed in the comments are their owner's view.

    © Copyright 2008

    Sign in

    Links



    Freeware Shareware Center

    Your Freeware Download Source!

    Soft14.com - get free, shareware and quality commercial software about Internet and communication Privacy and Security

    Soft14.com - get free, shareware and quality commercial software about Internet and communication Privacy and Security