SecurePass Blockchain-Powered open-Source Password And TOTP Manager

1 77
Avatar for vkvinay
3 years ago

Using blockchain and encryption technology, the SecurePass helps you manage your passwords and TOTP secret by storing encryption data in a secure and trustless way such that only you have access to them.

With the increasing number of websites and apps that we have to log in to. password managers are becoming more essential than ever. However, there are a few problems with the existing password managers:

  • Password managers are essential these days when we have to manage lots of different passwords

  • There are lots of potential problems with the existing centralized password managers:

    • Single point of failure: if the server/database goes down, there goes your passwords

    • Trust issue: can you really trust that this closed-source software will not just read your passwords?

  • For an open-source password manager program running on your own machine: you are indeed in total control of your passwords. However, you would have to manually backup your encrypted passwords else where in case your machine is damaged or lost. There is no guaranteed availability of your passwords.

  • SecurePass solves all of these problems:

    • The passwords are stored on the decentralized database that is the Bitcoin Cash blockchain, using OP_RETURN hence it will not go down easily

    • The passwords are encrypted using AES-128 by the key derived from your mnemonic or private key which belongs to only you. You are the only one who can see your saved passwords.

What we can Store

password

{
'domain': 'https://example.com/login',
'username': 'username',
'password': 'password'
}

TOTP

{
'name': 'alice@example.com',
'secret': 'JBSWY3DPEHPK3PXP',
'issuer': 'example.com',
'interval': 30,
}

Protocols

The protocol uses P2PKH addresses. Actions are saved using OP_RETURN. data is UTF-8 encoded

1.

Action = Start encrypted password

Prefix : 0x5d01

Value: encrypted data fragment [217]

2.

Action = Continue encrypted password

Prefix : 0x5d02

Value: txhash(32), encrypted data fragment(184)

Continue the encrypted data from the previously referenced transaction

3.

Action = Start encrypted totp

Prefix : 0x5d11

Value: encrypted data fragmen(217)

4.

Action = Continue encrypted totp

Prefix : 0x5d12

Value: txhash(32), encrypted data fragment(184)

5.

Action = Activate or deactivate

Prefix : 0x5d00

Value: [txhash(32),...]

Is AES-128 Safe

even with a supercomputer, it would take 1 billion years to crack the 128-bit AES key using brute force attack. This is more than the age of the universe (13.75 billion years). If one were to assume that a computing system existed that could recover a DES key in a second, it would still take that same machine approximately 149 trillion years to crack a 128-bit AES key.

Encryption Key Derivation from a mnemonic or private key

Using PBKDF2 (Password-Based Key Derivation Function 2) we can Derive a 128-bit encryption key, user can also use optional salt for more protection

 
 key = PBKDF2("mnemonic or private key", salt).read(16).encode("hex") # 128-bit key
 

Encryption

Using AES-128 CBC(Cipher Block Chaining)

iv = os.urandom(16)     # 128-bit IV
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted = cipher.encrypt(data)


data = cipher.decrypt(encrypted)

What if data exceeds 220 bytes

currently the bitcoin cash blockchain has a limit of 220 bytes if data exceeds 220 bytes we can use protocols 2 and 4

on top of the above protocols we can build a fully-featured opensource free password manager

Features

  • You can save the login credentials for different websites to SecurePass. The saved credentials will be auto-filled when you visit the websites subsequently.

  • You can also generate a one-time password using stored totp data

  • SecurePass is also can be used as a light bitcoin cash wallet

  • we can also implement Firefox and chrome extension and mobile app

contact

you can share your opinion and improvement proposal on the subreddit r/SecurePass

I am looking for a sponsor for development funds you can also guide on that

Thank you

1
$ 0.00
Avatar for vkvinay
3 years ago

Comments

This is a very cool concept. One downside to this is that now everyone can see when you're updating things in your password manager, which could tie your bitcoin cash address to your IRL identity (for example, a website correlating your sign-up to when you updated your password manager). Some websites also make registration dates public.

I haven't looked much into it, but if you can figure out a way to minimize these issues that would be really awesome.