########################################################################################## PHPCRED-11: Double Blind Encryption ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Won't Fix (2019-09-09 15:51:09) Project: PHPCredlocker (PHPCRED) Reported By: btasker Assigned To: btasker Components: - Crypto - Storage - Double-Blind Storage Targeted for fix in version: - 1.25 Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Would like to add the ability to do a final encryption/decryption run in the browser if the user has stored the pass as 'double-blind'. So when adding a credential, the user has the option of setting a decryption password (which will never be passed to the browser). To make sure we don't get any funny behaviour from special characters, it'll probably be wise to manipulate the input password in javascript (perhaps base64 encode it?) before using it as a key. Will need warnings to warn the user that if they forget the password, the credentials will be irretrievable. ----------------------------------------------------------------------------------------- Issue Relations ================ - relates to PHPCRED-18: Partially incorrect blind password doesn't raise an error - relates to PHPCRED-19: When decryption fails, the cred sits at 'Retrieving' ----------------------------------------------------------------------------------------- Subtasks ========== - PHPCRED-20: Consider improvements to Double-Blind encryption - PHPCRED-21: Disable Plugins when Password is double-blind ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2013-12-07 14:27:42 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'In Progress' ----------------------------------------------------------------------------------------- 2013-12-07 14:27:57 btasker ----------------------------------------------------------------------------------------- Have added an indicator to the DB in V1.15 ----------------------------------------------------------------------------------------- 2013-12-07 14:51:52 btasker ----------------------------------------------------------------------------------------- Commit b5f9219 (branch PHPCRED11) starts building the JS framework. API response needs to include the content of the Double-blind indicator (idx 6 in the response), and still need to adjust the add creds form so the setting can be enabled on a per-credential basis. Commit f78334b sets the minimum pass length to 6 - once testing complete will raise this. ----------------------------------------------------------------------------------------- 2013-12-08 14:12:20 btasker ----------------------------------------------------------------------------------------- Commit 3f9461e adds a check to ensure the string has decrypted correctly (i.e. that the correct decryption pass has been provided). When encrypted, the pass is submitted as -- BEGIN QUOTE -- 1|..|(base64 encoded ciphertext) -- END QUOTE -- When decrypting, we check that the first element of the array (generated by splitting on |..|) == 1 ----------------------------------------------------------------------------------------- 2013-12-08 15:10:02 btasker ----------------------------------------------------------------------------------------- The password is being blind encrypted, but the system isn't setting the blind indicator. Decryption is also failing when indicator is set manually ----------------------------------------------------------------------------------------- 2013-12-08 15:47:20 btasker ----------------------------------------------------------------------------------------- Had forgotten to update the view on the dev site. Indicator now set correctly, however, the address always returns false when decrypting. ----------------------------------------------------------------------------------------- 2013-12-08 15:49:06 btasker ----------------------------------------------------------------------------------------- It's because the address is always embedded within plaintext HTML. Best bet is going to be to exclude the address from double-blind for now ----------------------------------------------------------------------------------------- 2013-12-08 15:53:25 btasker ----------------------------------------------------------------------------------------- Merged PHPCRED-11 into Dev and deleted feature branch as basic functionality is now working ----------------------------------------------------------------------------------------- 2013-12-08 15:56:22 btasker ----------------------------------------------------------------------------------------- Raised PHPCRED-18 to deal with issues resulting from a partially incorrect password. ----------------------------------------------------------------------------------------- 2013-12-08 16:11:22 btasker ----------------------------------------------------------------------------------------- All alerts are currently JS based, some probably need to be changed to update within the DOM rather than triggering a JS alert. ----------------------------------------------------------------------------------------- 2013-12-08 16:34:34 ----------------------------------------------------------------------------------------- btasker added '1.25' to Fix Version ----------------------------------------------------------------------------------------- 2013-12-08 16:34:34 ----------------------------------------------------------------------------------------- btasker removed '1.5' from Fix Version ----------------------------------------------------------------------------------------- 2019-09-09 15:51:09 btasker ----------------------------------------------------------------------------------------- Bulk Closing as Won't Fix. Credlocker is EOL so no further work will be done. ----------------------------------------------------------------------------------------- 2019-09-09 15:51:09 ----------------------------------------------------------------------------------------- btasker changed status from 'In Progress' to 'Closed' ----------------------------------------------------------------------------------------- 2019-09-09 15:51:09 ----------------------------------------------------------------------------------------- btasker added 'Won't Fix' to resolution