Or, in other words, how do I know that the passwords stored and sync'ed with Passev can only be viewed by me and no one else? How secure is Passev?.
Well, let's start with a simple scheme showing how PassEv works:
Here we have the main items involved:
- On the lower left, our main computer. It's one of the many computers we use daily and we want the passwords stored in it to be available on the rest of computers.
- On the right, the rest of computers we use: our laptop, the office's, etc.
- On the center, the passev.com server. It will store the password and distribute and sync them in all our computers.
There are two main points where Passev must ensure that the stored password remain confidential:
- Locally : when we fill in a form to log in into a site, PassEv will store the user-password combination to a local file which we will call the PassStore. The PassStore must be encrypted so anyone with access to this file can know its contents. To achieve this, PassEv uses a symmetric-key algorithm to encode the stored passwords. The key used to encrypt the file is the only one you will ever need to remember again, the master password (there will be a master user also, so you can create an account in the PassEv.server). Should you forgot it, no one will be able to decrypt your PassStore anymore, so all the information written in it will be lost.
- Remotely : once a new user-password combination is stored into the local PassStore, the PassStore file must be sent to the Passev.com remote server so it can be synchronized with the rest of computers you want to use. For one of this computers to be able to download the PassStore to its local filesystem and get the passwords stored in it, the installed copy of Passev must be configured with the same master user and password as the first one. As the master user and password must be sent over the Internet, they must be encrypted first so no one "hearing" our communication can obtain them. To achive a secure channel over the http communication, PassEv uses a "shared session key" approach. The PassEv.com server uses an asymmetric-key algorithm to create a private / public key pair. The private key is only know by the Passev.com server. The public key is known by all the PassEv installations. The local PassEv copy will generate a random key, encrypt it by using the Passev.com server public key and send the resulting encrypted data to the server. The server will decrypt it with its private key and from that moment all the communications of that sessions will be encrypted with the random key using a symmetric-key algorithm. When the session ends, the key is forgotten and shoud a new session start, a new key will be generated. So the local copy of PassEv will be talking over a http connection with the PassEv.com server, but all the data will be encrypted, ensuring confidentiality.
Subscribe