soutade/gPass
1
0
Fork 0
Code Issues Pull Requests Packages Releases 2 Activity

Update documentation and fix javascript bug (substr not allowed)

Browse Source
This commit is contained in:
Grégory Soutadé 2013-10-10 18:29:08 +02:00
parent 5e7073fbdd
commit aad001bb25
2 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
firefox_addon/README.md
View File

@ -5,20 +5,21 @@ Introduction
------------ ------------
Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what we most people do is to generate only a subset of passwords easy to remain. This implies two common errors : Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what we most people do is to generate only a subset of passwords easy to remain. This implies two common errors :
* Password are not very strong * Password are not very strong
* We use them for multiple accounts * We use them for multiple accounts
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords and for each login/password tuple you chose, gPass returns the real password by querying a password server. The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords and for each login/password tuple you chose, gPass returns the real password by querying a password server.
To have a high level of security, all information is stored encrypted. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information ! To have a high level of security, all information is stored encrypted. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it bruteforce your masterkey) !
This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable. Moreover, with gPass, you can have multiple master key ! This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable (be careful on server down !). Moreover, with gPass, you can have multiple master key !
Usage Usage
----- -----
The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in addons -> gPass -> preferences to point to your password server. The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in addons -> gPass -> preferences to point to your password server (+ username).
When you're in a login form and you want to use gPass. Type your login and fill "@@masterkey" in password field. Then, submit and password willll automatically be replaced by the one in the database (after decryption). When you're in a login form and you want to use gPass. Type your login and fill "@@masterkey" in password field. Then, submit and password willll automatically be replaced by the one in the database (after decryption).
@ -26,14 +27,32 @@ When you're in a login form and you want to use gPass. Type your login and fill
Technique Technique
--------- ---------
The only two columns in database are "login" and "password". The two columns in database are "login" and "password".
login is compounded by "@@domain;login" encrypted with AES 256 login is compounded by "@@domain;login" encrypted with AES 256
password encrypted with AES 256 password is salted and encrypted with AES 256
The key that encrypt these fields is sha256(masterkey) The key that encrypt these fields is sha256(masterkey)
For now the only addons is done for firefox. Server side is written in PHP (with SQLite3 for database component).
Server
------
You just have to copy server files in a directory read/write for www-data. A sample apache2 configuration file is available in ressources.
You can activate/deactivate view of ciphered passwords by setting $VIEW_CIPHERED_PASSWORDS in index.php
A demonstration server is available [here](http://gpass-demo.soutade.fr). It's the default server of XPI package.
Client
------
Just install xpi package. You can have debug information by setting DEBUG in main.js.
Licence Licence
------- -------
All the code is licenced under GPL v3. Source code is available [here](http://indefero.soutade.fr/p/gpass). All the code is licenced under GPL v3. Source code is available [here](http://indefero.soutade.fr/p/gpass).

7
firefox_addon/lib/main.js
View File

@ -124,9 +124,11 @@ function on_sumbit()
// gPassRequest.addEventListener("progress", function(evt) { ; }, false); // gPassRequest.addEventListener("progress", function(evt) { ; }, false);
gPassRequest.addEventListener("load", function(evt) { gPassRequest.addEventListener("load", function(evt) {
r = this.responseText.split("\n"); r = this.responseText.split("\n");
debug("resp " + r);
if (r[0] != "<end>" && r[0].startsWith("pass=")) if (r[0] != "<end>" && r[0].startsWith("pass="))
{ {
ciphered_password = r[0].susbtr(5); ciphered_password = r[0].split("=");
ciphered_password = ciphered_password[1];
debug("Ciphered password : " + ciphered_password); debug("Ciphered password : " + ciphered_password);
clear_password = aes.decryptLongString(hex2a(ciphered_password), aes.init(hex2a(mkey))); clear_password = aes.decryptLongString(hex2a(ciphered_password), aes.init(hex2a(mkey)));
aes.finish(); aes.finish();
@ -159,7 +161,8 @@ function on_sumbit()
}); });
}, false); }, false);
gPassRequest.open("POST", prefSet.prefs["account_url"], true); debug("connect to " + prefSet.prefs["account_url"]);
gPassRequest.open("POST", prefSet.prefs["account_url"], false);
gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8'); gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
gPassRequest.send(keys); gPassRequest.send(keys);