search

nithinmanoj10 / password-SHAck

💼 Password Manager Toolkit
0 stars 0 forks source link

Create User Vault #14

Open nithinmanoj10 opened 1 year ago

nithinmanoj10 commented 1 year ago

Module to create a new and empty vault for a user to securely store their passwords and personal information

nithinmanoj10 commented 1 year ago

Initial Setup

After the user downloads the password manager, they should run the following command before using it for the first time to setup the file and folder systems to store the passwords

python3 setup.py

The following steps are done in the setup process

  1. pip installs the necessary packages
  2. creates the vaults directory (empty)
  3. creates the master_info.txt (empty)

This will create a directory named vaults that contains each and every vault and a file names master_info.txt that contains information about the user like name, e-mail, master password, etc.

The name of each vault file in vaults will be its respective authentication key (A). It is calculated as follows

import argon2, binascii

def getVaultKey(master_password, salt):

A = H(master_password | V)

H is any secure key-derivation function. In our implementation, we will be using Argon2. V is the vault-key and is calculated as follows

V = H(master_password | salt)

The salt is unique and randomly generated at the time of creation of a vault for a user.

What is a vault?

Each user will be assigned a unique vault to them at the time of their account creation. This vault will securely store passwords and personal information that can be later accessed and modified by the user using a Vault Key. Each users vault will also be authenticated using a Vault Authentication Key.

User Vault Creation Process

At the time of creating a new vault, the following details need to be inputted by the user

  1. User Name
  2. E-mail ID
  3. DOB
  4. Master Password

At the time of creation, the software checks if the master password is strong or not.

This information is stored in a User-Vault SQL table. The master password is hashed and stored along with a salt

nithinmanoj10 commented 1 year ago

Setting up the password file system

After the user downloads the password manager, they should run the following command before using it for the first time to setup the file and folder systems to store the passwords 

python3 setup.py

The following steps are done in the setup process

  1. Installs the necessary packages to run password-SHAck
  2. Creates an empty vaults directory
  3. Creates an empty master_info.txt file

Here is a top overview of the file system. There is a directory named vaults, that contain each users vault. A vault is an encrypted text file containing the users passwords. The name of each encrypted vault file is the vaults authentication key A, whose calculation will be shown in the upcoming sections. Each vault file contains encrypted key-value pairs. The site name or email ID or any other unique name which is used to identify the password is used as a key, while the hashed password is stored as the value.

The master_info.txt is an encrypted file that contains the following information about each user

  1. User name
  2. Hashed Master Password
  3. Randomly generated salt

This is again stored as encrypted key-value pairs.

nithinmanoj10 commented 1 year ago

Creating a User Vault

Each user will be assigned a unique vault to them at the time of their account creation. This vault will securely store passwords and personal information that can be later accessed and modified by the user using a Vault Key. Each users vault will also be authenticated using a Vault Authentication Key. Both the Vault Key (V) and Authentication Key (K) are derived from the master password that is chosen by the user. They are calculated as follows

V = H(master_password | salt)

The salt is unique and randomly generated at the time of creation of a vault for a user. H is any secure key-derivation function. In our implementation, we will be using Argon2.

The vault key is then used to calculate the authentication key.

A = H(master_password | V)

At the time of creating a new vault, the following details need to be inputted by the user

  1. Username
  2. Master Password

A unique salt is then randomly generated and used to hash the master password using a key-derivation function. The username, hashed master password and salt are then stored together inside the master_info.txt file. So the next time the user tries to login, we check if the master password he inputted was correct by comparing the hash of the inputted password and the hash stored in the master_info.txt file.

Right after the user account is created, the vault key and authentication key is created from the master password. A new file with the name same as the authentication key is created inside the vaults directory. This will be the users vault and their passwords will be stored here. This is vault file is then encrypted and decrypted using a Symmetric Key Cipher with the calculated vault key being the symmetric key.