SPHINX

This flake packages various packages related to SPHINX: a password Store that Perfectly Hides from Itself (No Xaggeration).

A sphinx client/server architecture allows to exchange secrets secure way. The server never decrypts any passwords itself. All encreption/decription is happening on the client side. See the readme for a good explanation.

NGI Project pages:

• https://review.ngi-0.eu:2019/partner/project/2019-02-081

• https://review.ngi-0.eu:2019/partner/project/2019-04-088

• https://nlnet.nl/project/OpaqueSphinx/

• https://nlnet.nl/project/OpaqueSphinxServer/

The core library, libsphinx, is used to build several software components:

Androsphinx

An android app that acts as a sphinx client.

The ./pkgs/androsphinx/gradle-env.* files have been generated using gradle2nix:

$ git clone https://github.com/dnet/androsphinx.git && cd androsphinx
$ export JAVA_HOME=/nix/store/...-openjdk-.../ # gradle2nix needs this
$ gradle2nix

pwdsphinx

A Python sphinx client/server implementation.

zphinx-zerver

A Zig sphinx server implementation.

Nix packages & their dependencies

Most of the packages below depend (indirectly) on libsodium. The version shipped with Nix is used.

• equihash: "memory-hard PoW with fast verification"
• libsphinx: "a cryptographic password storage"; a C library and some standalone tools.
  • Dependencies: libsodium
• pysodium: "a very simple wrapper around libsodium masquerading as nacl"; a Python library
  • Dependencies: libsodium
• securestring: a Python library to clear "the contents of strings containing cryptographic material"
• qrcodegen: a QR Code generator library for multiple languages
• pwdsphinx: Python bindings for libsphinx.
  • Dependencies: equihash, libsphinx, pysodium, securestring, qrcodegen
• androsphinx: an Android app wrapping libsphinx.
  • Dependencies: equihash, libsodium, libsphinx
• zphinx-zerver: a server implementation in Zig.
  • Dependencies: BearSSL, equihash, libsphinx, zig-toml

Note: The androsphinx readme suggests to use qrencode to generate a QR code that is used to configure the phone. Similarly, pwdsphinx' readme suggests qrcodegen. These tools fulfill the same task.

Local test setup

You need:

• a development machine running Linux
• an Android phone
• a local (wireless) network where both the phone & the dev machine can talk to each other
• Nix (surprise!) with Flakes support.

The setup is as follows: A sphinx server ("oracle") will run on the dev machine. A sphinx command line client will run independently on the dev machine and connect to the oracle. The androsphinx app will also connect (via the local network) to the oracle. Both clients (cli & app) will be able to access the same credentials.

Server setup

# Install & activate all dependencies.
$ nix develop
# Go to the test folder.
$ rm -rf ~/sphinx-test ; mkdir ~/sphinx-test && cd ~/sphinx-test

# Create an SSL certificate (only do this once).
$ openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout ssl_key.pem -out ssl_cert.pem -days 365 -batch
$ ls ssl_cert.pem ssl_key.pem # make sure these files exist.

# Copy the client & server configuration.
$ cp $SAMPLE_SPHINX_CFG ./sphinx.cfg # see #devShell.shellHook

# Run the server
$ oracle # do not kill this process

CLI client setup

Setup the client in a new terminal.

# Install & activate all dependencies.
$ nix develop
# Go to the test folder.
$ cd ~/sphinx-test

# Generate the master key that is used to derive secrets. This key must be
# shared among clients.
$ sphinx init
$ ls ./datadir/masterkey

# Store credentials. You should see log output from the oracle server and the
# client should return a password.
# See https://github.com/stef/pwdsphinx#create-password for details.
$ printf 'm' | sphinx create user site uld 10 # "m" is the master password
<password>

# Retrieve credentials.
printf 'm' | sphinx get user site
<password>
printf 'wrongmasterpassword' | sphinx get user site
<some-other-password>

Android client setup

Connect your phone to the development machine and make sure the 'Developer options' are enabled.

Open a 3rd terminal.

# Install & activate all dependencies.
$ nix develop
# Go to the test folder.
$ cd ~/sphinx-test

# Check that your phone is accessible.
$ adb devices

# Install the custom SSL certificate.
adb push ssl_cert.pem mnt/sdcard/ssl_cert.pem # or wherever else you can upload to the phone

# In your phone, open Settings -> Security -> "Install [certificates] from
# device memory/SD card" (or similar) -> Choose the certificate file and install
# it.

# Install the app. (The 'uninstall' command will fail at the first time, of
# course).
$ ls $DEBUG_APK # see #devShell.shellHook
$ adb uninstall org.hsbp.androsphinx ; adb install $DEBUG_APK

# At this point, you can unplug the phone. Make sure it is connected to the
# local network instead. Also, get the dev machine's IP address.
$ ip a
$ export IP_ADDR=X.X.X.X # 192.168....

# Launch the androsphinx app in the phone, press the 'Settings' icon and press 'Scan from
# QR code'. Generate the QR code on the dev machine (make sure the $IP_ADDR is set).
(printf '\x01' ; cat ./datadir/masterkey ; printf '\x09\x33%s' "$IP_ADDR") | qrencode -8 -t ANSI256
# (Now scan the generated code with the phone.)

The phone is now configured correctly. Make sure the server process (oracle) is running. Use the app's search form to search for "site". You should see a log statement from the sphinx server as well as the entry "user" on the phone. Try copying the password to the clipboard by using the master password from above. You should receive the same password as the CLI client.

See also

• NixOS/nixpkgs#115229

• stef/libsphinx#8

• stef/pwdsphinx#9

• stef/pwdsphinx#10

• stef/pwdsphinx#13

• stef/pwdsphinx#15

• stef/pwdsphinx#14

• dnet/androsphinx#8

• dnet/androsphinx#9

• dnet/androsphinx#5

• stef/zphinx-zerver#1

• stef/zphinx-zerver#2