search

SimonSchneider / quick-share

MIT License
0 stars 0 forks source link

Allow setting a simple password on secret creation that can be shared over a seperate channel. #1

Open SimonSchneider opened 1 month ago

SimonSchneider commented 1 month ago

The password should be combined with they generated key to arrive at the final key.

basic:

        async function deriveKey(key, password) {
            const encoder = new TextEncoder();
            const passwordKey = await crypto.subtle.importKey('raw', encoder.encode(password), 'PBKDF2', false, ['deriveKey']);
            return crypto.subtle.deriveKey(
                {
                    name: 'PBKDF2',
                    salt: key,
                    iterations: 100000,
                    hash: 'SHA-256'
                },
                passwordKey,
                { name: 'AES-GCM', length: 256 },
                false,
                ['encrypt', 'decrypt']
            );
        }

        async function deriveKey(key, password) {
            const encoder = new TextEncoder();
            const passwordKey = await crypto.subtle.importKey('raw', encoder.encode(password), 'PBKDF2', false, ['deriveKey']);
            return crypto.subtle.deriveKey(
                {
                    name: 'PBKDF2',
                    salt: new Uint8Array([...key].map(c => c.charCodeAt(0))),
                    iterations: 100000,
                    hash: 'SHA-256'
                },
                passwordKey,
                { name: 'AES-GCM', length: 256 },
                false,
                ['encrypt', 'decrypt']
            );
        }

password can be shared over a seperate channel to the link or even just shared over voice.

SimonSchneider commented 1 month ago

Even better would be to decrypt the data twice. And avoid returning the encrypted blob to the client as a malicious third party could use the link to get the data blob and start brute forcing passwords.

Therefore we should do something like this:

  1. Encrypt the data with the key
  2. send encrypted blob to server together with password
  3. generate a link which specifies password protection

When the user wants to get the secret

  1. Navigate to page with the link.
  2. Page prompts user for password.
  3. User inputs password.
  4. Page redirects to regular page with password sent to server
  5. Server Validates password and if incorrect removes the secret and bails. In this case the secret has to be reshared.
  6. If success the server returns the encrypted blob and the normal flow continues.