search

marius-wieschollek / passwords

A simple, yet feature rich password manager for Nextcloud
GNU Affero General Public License v3.0
202 stars 40 forks source link

[Feature Request] 2-Man Rule (Shamir's Secret Sharing technique) #441

Open LimitlessGreen opened 2 years ago

LimitlessGreen commented 2 years ago

Current Status It is only possible to share passwords. But not to unlock one with the knowledge of many people.

Feature Description My first idea is to have a vault, which can only be unlocked, if a specified number of people insert their own key like this:

grafik

The main use case, I can imagine, is an emergency, where you want to share otherwise secret credentials.

marius-wieschollek commented 2 years ago

Can you elaborate on the exact use case?

Is this to unlock an e2e enabled user account without need for the master password?

Or is this more like sharing a password / folder etc but only if all recipients enter their code, they can access the shared information?

And how should the process work? Does everyone have to enter their part of the key at the same time?

DatNoHand commented 1 year ago

The use case could be, for example to recover a master password or even just a very hard secret. Imagine two Generals using each their own key at the same time to launch the nukes.

Maybe have them enter not at exactly the same time, but have it be on a (customizable) timer period where all secrets have to be entered?

marius-wieschollek commented 1 year ago

I am familiar with the concept, but i don't understand how this could/should be integrated into the app. Here are a few questions that i have:

  1. How are vaults integrated into the UI Is this a special section in the navigation (Like Folders, Tags, Recentā€¦) or do they behave like folders (show up in parent folder, can be moved etc.) or maybe like passwords (show up in "All" view, are suggested by the browser extension, have fields like website or username)
  2. What do vaults store? Do they store a single password? Or are they more like a ZIP-File that contains folders etc.
  3. How are vaults created? I guess some kind of dialog that allows you to enter the recipients of a part of the vault key? Do you create the content of the vault while you create the vault or is there maybe a context menu option for passwords & folders that is like "Create Vault"?
  4. How are vaults opened? Is there one person who says: Let's open the vault and everyone has to enter their key at their PC? Or does everyone get an email/notification "Andy wants to open the vault" and then can enter their part of the key on a custom page?
  5. How is this encrypted? Also continues from 4. Is the vault client side encrypted? Is it sever side encrypted? Or a mix. If it's client side encrypted, we would need to get all keys to a single client to do the decrypt there. If it's server side encrypted we can wait for all keys and then decrypt it as soon as we have all and then notify the owners. In both ways, the critical part is handling the keys. If they're ever sent to the server they become insecure.
  6. How do you access the vault data after decrypting? Is it like double clicking a ZIP file in windows explorer where you can browse the contents of the ZIP file, but it remains a single file? Or is it like unzipping a ZIP file and everyone (when server side encryption is used) or the one opening it (when client side encryption is used) gets a permanent copy of the data?

Lastly from my previous comment: What are vault used for? My questions above assume that you want to store passwords/folders etc in the vault. Is that the idea? Or is this for example as a backup if someone forgets the encryption password for their own account? (Like a mnemonic passphrase that is sent to all admins to unlock a users account)

DatNoHand commented 1 year ago

1. and 2. Maybe we would have to define the term 'vault' a bit better. It could be a) a special type of password b) a folder containing passwords, notes, etc...

But I think that a) will be more suitable for this project.

3. The UI Dialogue is a good start, maybe have the server act as trusted middleman until every recipient has confirmed that they have received their part. With this approach the users don't have to be online at the same time.

As for your question, what are vaults used for: I think that it could start as a password recovery option, allowing a user to select other trusted nextcloud users to help him regain access to his account. Things to think about are server admin abuse and client abuse, so that a user cannot arbitrarily reset another user's account. But then again, the passwords app is not responsible for handling User's Nextcloud passwords so... šŸ¤·

I agree that this Feature is hard to pull off, especially if the approach is that you cannot trust the NC server to be secure.