As is every good development :) Passev is delayed. The crypthographic part is taking me more time than expected, as I want to be sure I'm not leaving any security hole. Due to this, Passev launch is going to be delayed about two weeks, so the new release date will be July 15. Sorry for the inconvenience!

Last week I told you about how PassEv will ensure confidentiality by using a shared session key. Today I'm going to talk about how the program will encrypt the local file containing our passwords, or the PassStore, as I'll call it from now on.

A suitable algorithm to  encrypt the data should combine some features: it has to be impossible to crack in a decent time and has to be quick enough to be used so the user hasn't got to wait 15 minutes till the encryption is done. After studying "modern" algorithms, I have decided to use AES, which is a small, fast, hard to crack encryption standard and is suitable for a wide range of devices or applications. It has been determined as the best compromise between a combination of security, performance, efficiency, ease of implementation and flexibility.

128 bit AES offers a total of 3.4 x 10^38 individual keys. It is estimated that if an AES key generator were able to discover 1 AES key per second, it would take 149 thousand-billion (149 trillion) years to crack a single 128 bit AES key.Currently, the technology is not available.

Passev is planned to be released the 1^st of July. Stay tunned if you want to betatest it! 

This week I have been thinking about how PassEv, the passwords sync utility I'm working on, should work to ensure the confidentiality of out data, where our data means our user / password combinations for the sites we usually work with. The local security (encrypting local data) is easily done by using a symmetric key algorithm. PassEv will use the master password (the only password you will have to remember once you start using the program) to encrypt the passwords store (or PassStore) using a symmetric key algorithm. But once we have the data encrypted, we want them to be sync'ed in all our computers. That is what PassEv if intended to do.

That means that the local copy of PassEv will have to send the encrypted PassStore to the PassEv.com server, and that other computers using PassEv will have to be able to retrieve the PassStore. Me, as user, should be able to get my PassStore and only my PassStore (not any other one). So we will need a user (the master user) to create an account in the PassEv.com server, so the different PassStores are linked to their owners. To retrieve the correct PassStore from the PassEv.com server, PassEv will have to send the master user / password combination. And here is where PassEv has to ensure confidentiality again. It cannot send the master user /password combination in clear text over the net without encrypting it, or anyone "hearing" our line will be able to decrypt our PassStore and obtain our saved passwords.

To encrypt, the PassEv program and the PassEv.com server must negotiate a password and encrypt all their communications using it. To achive this, I'll use a "shared session key" approach. The PassEv program will generate a random password each time it starts a session with the PassEv.com server. All the communications for that session will be encrypted using that key. To be able to transmit the session password to PassEv.com server without compromising it, the program will encrypt it by using a public key algorithm. That is, the PassEv.com server will generate a private / public key pair and the PassEv program will encrypt the "shared session key" negotiation with the public key. Only the PassEv.com server can decrypt that using its private key. Once this is done, we will have a secure way to send the PassStores over the http connection. When the sessions ends, the shared session key is forgotten and a new one will be used in a futher session, increasing security.

I have wrote a description of the PassEv security scheme here.

Questions? Doubts? Ideas? Suggestions? Just leave a comment!.

NOTE: PassEv is intended to be released on July the 1^st