Project overview and design documentation

[dipu-bd]

This is an open source project concerned about securely storing sensitive information like: passwords, credit cards, secret texts, or files. Instead of trusting any 3rd-party apps and pray every seconds to be safe from any data breach, having your own project to store your own private information is better.

The high-level goals of this project is:

• Provide a highly secure store for saving secrets.
• Backup the store in multiple cloud storages like Google Drive, OneDrive, Dropbox etc.
• Share the store across multiple devices.

UX/UI

This will be a mobile-first application. The desktop design will adapt from the mobile UI.

Logo

Figma

Presentation
https://www.figma.com/proto/m5YKFuOr4f9pQSmJ7Xw9RE/Safestore

Design
https://www.figma.com/file/m5YKFuOr4f9pQSmJ7Xw9RE/Safestore

Security

The security points we need to be concerned about in this application:

How to encrypt user data?

• A symmetrical-key encryption can be used.

How to generate the symmetric key?

• A key derivation algorithm can be used.

How to ensure the security of generated key?

• It should only be stored on the device side.
• It will have an expiry time, and periodically changed to a new one.

How to store the generated key on the device side?

• This is the most vital part, since it can compromise the security of the entire system.
• The user provided password can be used to encrypt the security keys.
• Enforce users to choose a good password.
• Optionally biometric authentication can be enabled. In that case, a 3rd party secure storage like: Keychain is required.

How to share the data to other devices?

• The shared data will be encrypted using a different key.
• An assymetric-key encryption will be used to exchange keys.

How to backup and restore the data?

• The app can be linked with cloud storage services.
• The encrypted data will be stored in these cloud storage services.
• On the same device data can be easily restored from a backup.
• On a different device, user can go through the password recovery process to restore the data.

Algorithm choice

The cryptographic algorithms not only has to be secure, but also fast enough to perform well in mobile devices.

Purpose	Algorithm
Random number generator	Random.secure()
Data encryption	XChaCha20-Poly1305-IETF
Key exchange	ECDH @ X25519
Digital signature algorithm	EdDSA-Ed25519
Hashing algorithm	SHA3-256
Key derivation	Argon2id

Creating a store

• Take store name and password input from the user.
• Enforce users to choose a good password.
  • Minimum length should be 8
  • Password can accept any UTF8 characters
  • Verify the password strength and reject weak passwords.
• Generate a 128-bit password hash using argon2id.
• Give an option to enable fingerprint unlock if the feature available.
  • If enabled, save the password hash in the Biometric Storage.
  • Otherwise the user password will not be saved anywhere.
• Create a recovery code ask user to store it somewhere safe.
  • Split the password hash into 8 equal parts. 16-bit each.
  • Use each part as an index to choose a english word from words.txt
• Generate a 256-bit secret key required for the data encryption algorithm.
• Initialize the file-system for the store with the secret key.
• Save the store name in the app-specific secure database using an in-app secret.

Opening a store

• Read the secure database and retrieve list of stores
• When user select a store, prompt to enter password, or biometrics if enable.
• If biometric is used, password hash is retrieved from the Biometric Storage.
• A 256-bit secret key will be generated from the password hash.
• This secret key can be used to access the encrypted store.
• A password recovery section will be visible when opening a store.

Password Recovery

• User can enter 8 recovery words.
• Recovery words will be used to generate forgotten password hash.
• Password hash will be used to get the old secret key.
• The existing store can be access by this key.
• A new password will be obtained from the user.
• New recovery codes will be conveyed to the user.
• New password hash will be generated (and stored if biometric is enabled)
• New secret key will be generated and the store will be re-encrypted with it.
• The old password hash and secret key will be discarded.

File system design

The file system should have these abilities:

• Compress and encrypt data before saving to storage.
• Can create, delete, read, modify, and list entries with extra meta data.
• Ability to keep and restore a previous version of an entry.
• Keeps indexes for searching entries by metadata quickly.
• Supports syncing data between two file systems.

Cloud Storage

For backup, user can link their preferred cloud storage services. Currently on deck:

• Google Drive
• Dropbox
• OneDrive
• iCloud
• MediaFire

When restoring in the same device, the Master Key is already known. Restoring in a different device requires the Master Key to be shared via key exchange.

Relevant Links

Here are some links to the relevant projects, libraries and blogs:

• https://pub.dev/packages/sodium_libs [references libsodium, supports all platforms] ⭐
• https://pub.dev/packages/pointycastle [lots of features, but slow]
• https://pub.dev/packages/dargon2_flutter [only argon2id]
• https://pub.dev/packages/hive [key-value db] ⭐
• https://pub.dev/packages/flutter_secure_storage
• https://pub.dev/packages/qr_flutter
• https://pub.dev/packages/device_info_plus
• https://pub.dev/packages/package_info_plus
• https://github.com/Serticode/Sertidrive
• https://pub.dev/packages/algorithmic
• https://pub.dev/packages/local_auth
• https://pub.dev/packages/biometric_storage
• https://pub.dev/packages/secure_biometric_storage
• https://invertase.io/blog/flutter-native-apis-pt2
• https://github.com/woodemi/quick.flutter