PHPCRED-11: Double Blind Encryption

Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PHPCredlocker (PHPCRED)
Resolution: Won't Fix (2019-09-09 15:51:09)
Target version: 1.25,
Components: Crypto , Storage , Double-Blind Storage ,

Created: 2013-12-07 00:34:18
Time Spent Working


Description
Would like to add the ability to do a final encryption/decryption run in the browser if the user has stored the pass as 'double-blind'.

So when adding a credential, the user has the option of setting a decryption password (which will never be passed to the browser).

To make sure we don't get any funny behaviour from special characters, it'll probably be wise to manipulate the input password in javascript (perhaps base64 encode it?) before using it as a key.

Will need warnings to warn the user that if they forget the password, the credentials will be irretrievable.


Issue Links

relates to PHPCRED-18: Partially incorrect blind password doesn't raise an error
relates to PHPCRED-19: When decryption fails, the cred sits at 'Retrieving'

Subtasks

PHPCRED-20: Consider improvements to Double-Blind encryption
PHPCRED-21: Disable Plugins when Password is double-blind
Toggle State Changes

Activity


2013-12-07 14:27:42
btasker changed status from 'Open' to 'In Progress'

2013-12-07 14:27:57
Have added an indicator to the DB in V1.15

2013-12-07 14:51:52
Commit b5f9219 (branch PHPCRED11) starts building the JS framework.

API response needs to include the content of the Double-blind indicator (idx 6 in the response), and still need to adjust the add creds form so the setting can be enabled on a per-credential basis.

Commit f78334b sets the minimum pass length to 6 - once testing complete will raise this.

2013-12-08 14:12:20
Commit 3f9461e adds a check to ensure the string has decrypted correctly (i.e. that the correct decryption pass has been provided).

When encrypted, the pass is submitted as


1|..|(base64 encoded ciphertext)


When decrypting, we check that the first element of the array (generated by splitting on |..|) == 1

2013-12-08 15:10:02
The password is being blind encrypted, but the system isn't setting the blind indicator. Decryption is also failing when indicator is set manually

2013-12-08 15:47:20
Had forgotten to update the view on the dev site. Indicator now set correctly, however, the address always returns false when decrypting.

2013-12-08 15:49:06
It's because the address is always embedded within plaintext HTML. Best bet is going to be to exclude the address from double-blind for now

2013-12-08 15:53:25
Merged PHPCRED-11 into Dev and deleted feature branch as basic functionality is now working

2013-12-08 15:56:22
Raised PHPCRED-18 to deal with issues resulting from a partially incorrect password.

2013-12-08 16:11:22
All alerts are currently JS based, some probably need to be changed to update within the DOM rather than triggering a JS alert.

2013-12-08 16:34:34
btasker added '1.25' to Fix Version

2013-12-08 16:34:34
btasker removed '1.5' from Fix Version

2019-09-09 15:51:09
Bulk Closing as Won't Fix.

Credlocker is EOL so no further work will be done.

2019-09-09 15:51:09
btasker changed status from 'In Progress' to 'Closed'

2019-09-09 15:51:09
btasker added 'Won't Fix' to resolution