Keys of Peace
Never lose your passwords. Keys of Peace will give you free access to your passwords even from public computers and portable devices. Keep your secrets at keysofpeace.com
Principles of Keys of Peace operation were introduced at the first time here (russian). Here is their overall results.
- Account — a combination of URL, login and password for some site.
- Password — account's password.
- Master-password — password which user uses to login to Keys of Peace.
- Salt — random string for master-password hashing.
- Master-salt — salt used every time user logins to generate master-hash.
Assume that Alice wants to register at Bob's Keys of Peace server.
- Alice invents her master-password, generates master-salt and sends to Bob email, master-salt and master-hash where
master_hash = hash(master_password, master_salt)
- Bob just saves at DB email, master-salt and master-hash.
Alice should use trusted connection for registration, cause if Mallory knows master-hash, he can login any time he want, but he can't read Alice's accounts.
Alice have arrived to Bahamas for vacation and she wants to login at her photosharing service to publish some photos. She uses Keys of Peace to keep passwords. What will she do to get her accounts?
- Alice sends her email to Bob.
- Bob generates one-time salt and saves it at Alice's session, gets Alice's master-salt from DB and sends to Alice master-salt and one-time salt.
- Alice sends to Bob master-salt and one-time salt (to prove completion of steps 1 and 2), email and
hash(master_hash, one_time_salt)where master-hash was gotten this way (because Alice doesn't remembers it):
master_hash = hash(master_password, master_salt).
- Bob checks master-salt and one-time salt given by Alice and generates
hash(master_hash, one_time_salt)to check does Alice have master-password. If login was failed, Bob responds with 401 (Unauthorized) status code, otherwise he marks Alice's session ID as authenticated and sends her ciphered accounts and accounts' salt.
- Alice decodes accounts' JSON:
accounts = decipher(ciphered_accounts, hash(master_password, accounts_salt)).
If Mallory has sniffed Alice's master-hash while registration, he can login and get ciphered accounts, but he can't decipher the accounts, because he still doesn't know master-password.
If Mallory listens Alice during authentication, he can't login by themselves, because Bob'll use another one-time salt next time.
Assume that after login at Keys of Peace Alice has registered at some rental service and wants to save her automatically generated 20-letters password at Keys of Peace.
- Alice generates new accounts' salt and sends to Bob accounts' salt and
cipher(accounts, hash(master_password, accounts_salt)).
We are using PBKDF2 (1000 times SHA-256) for hashing and AES-256 for ciphering.
All requirements except Compass and Django will be installed automatically.
To install Compass follow instructions here.
If Django and Compass are installed, this will download, compile CSS and install the rest of requirements in your environment:
$ pip install -e git+git://github.com/quasiyoke/keys_of_peace.git#egg=keys_of_peace
This installs Keys of Peace in “editable mode” — at current directory.
Execute this to compile SASS files:
$ python setup.py build_css
Running The Site
To run Keys of Peace after described installation, execute:
$ cd src/keys_of_peace $ python manage.py runserver
After that you may go to http://127.0.0.1:8000 and observe the site running on your machine.
To launch Keys of Peace tests, execute:
$ cd src/keys_of_peace $ python manage.py test keys_of_peace.tests