/
README
40 lines (28 loc) · 2.13 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Copyright 2010 Arran Schlosberg (http://arranschlosberg.com);
This file is part of NodeJS-Keychain (https://github.com/aschlosberg/NodeJS-Keychain).
NodeJS-Keychain is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
NodeJS-Keychain is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with NodeJS-Keychain. If not, see <http://www.gnu.org/licenses/>.
---------------------------------------------------------------------------------------
NodeJS-Keychain
https://github.com/aschlosberg/NodeJS-Keychain
Requirements
------------
NodeJs - www.nodejs.org
Express - www.expressjs.com
MongoDB - www.mongodb.com
Mongoose - www.learnboost.com/mongoose/
OpenSSL aes-cbc-256 cipher
Goals
-----
NodeJS-Keychain is intended to be a highly secure and distributable keychain web service for creation and storage of random, long passwords. Security is managed in a trap-door manner such that a single user/password combination is required to unlock a given key but all other data is entirely protected by hashes & salts; the purpose of this is to allow storage in the cloud.
The encryption scheme is inspired by: http://wayner.org/node/21
Usernames are stored as hashes and each user's master password as a hash of 'user_hash|password|salt'. All keys are referenced by a domain (also hashed) and are then encrypted using AES (CBC) 256 bit with the hash of 'password|user_hash|domain_hash' as the key. All hashes are SHA-512 and the one-way mechanism of cryptographic hashes makes public access to the encrypted keychain relatively safe.
Caveat: the trap-door mechanism means that forgetting the master password results in permanent loss of the encrypted data (well... assuming the cipher is good and implemented properly).