KPass

KPass is a web application to manage password safe.

Feature

1. Support multi-users
2. Support multi-teams
3. Support HTTPS and HTTP/2
4. Support secret files(TODO)
5. Share secret to other user(TODO)

Build

go get -u github.com/seccom/kpass
go get -u github.com/jteeuwen/go-bindata/...
cd $GOPATH/src/github.com/seccom/kpass
cd web
yarn install
cd -
make build

It will build three executable files for OSX, windows and linux version in "./dist" directory.

Run in OSX

./dist/kpass --help
./dist/kpass

It will run with default options, create a kpass.kdb file and open a browser.

Development

Start a development mode with memory database:

make dev

It creates some demo data. You can find the encrypted secret in the kpass.kdb.

It will serve ./web as static server too.

Swagger Document

go install github.com/teambition/swaggo
go install github.com/teambition/gear/example/staticgo

make swagger
open http://petstore.swagger.io/?url=http://127.0.0.1:3000/swagger.json

Security Design

globalHMACFn = (a, b) => HMAC(SHA256, a)(b)
globalAESKeyFn = (a, b) => base64Encode(globalHMACFn(a + b))
globalPBKDF2Fn = (data, iv) => PBKDF2(dbSalt, 12480, 64, HMAC(SHA512, iv))(data)
globalEncryptFn = (key, data) => {
  cipherData = AESCTR(globalHMACFn(key), IV(16), data)
  sum = HMAC(SHA1, cipherData)(data)
  return cipherData + sum
}
globalDecryptFn = reverse(globalEncryptFn)

User password

It is used to verify user.

UserPass = SHA256("someUserPassword")
data = globalHmac(UserID) + UserPass
iv = IV(8)
data = globalPBKDF2Fn(data, iv)
UserCheckPass = base64Encode(data + iv)
// Save UserCheckPass to user Model

User AES Key

It is used to encrypt and decrypt user's data.

UserAESKey = globalAESKeyFn(UserPass, UserCheckPass)

Team password

It is used to generate TeamKey.

TeamPass = SHA256(RandPass(20))
data = globalHmac(TeamID) + TeamPass
iv = IV(8)
data = globalPBKDF2Fn(data, iv)
TeamCheckPass = base64Encode(data + iv)
// Save TeamCheckPass to team Model

Team AES Key

It is used to encrypt and decrypt secret messages and files in team' entris.

TeamAESKey = globalAESKeyFn(TeamPass, TeamCheckPass)

Team password for member

All team members should able to get TeamAESKey to encrypt and decrypt.

When user login and create a team:

CipherTeamPass = globalEncryptFn(UserAESKey, TeamPass)
// Save CipherTeamPass to database with TeamID and UserID

When user login and read or write team's data:

UserAESKey = globalAESKeyFn(UserPass, UserCheckPass)
TeamPass = globalDecryptFn(UserAESKey, CipherTeamPass)
TeamAESKey = globalAESKeyFn(TeamPass, TeamCheckPass)
cipherData = globalEncryptFn(TeamAESKey, data)
data = globalDecryptFn(TeamAESKey, cipherData)

When user A login and invite another user B to the team:

UserAESKey_A = globalAESKeyFn(UserPass_A, UserCheckPass_A)
TeamPass = globalDecryptFn(UserAESKey_A, CipherTeamPass)
AESKey = globalAESKeyFn(UserCheckPass_A, UserCheckPass_B)
InviteCode = globalEncryptFn(AESKey, TeamPass)
// user A send InviteCode to user B, user B logined
UserAESKey_B = globalAESKeyFn(UserPass_B, UserCheckPass_B)
AESKey = globalAESKeyFn(UserCheckPass_A, UserCheckPass_B)
TeamPass = globalDecryptFn(AESKey, InviteCode)
// Check TeamPass with TeamCheckPass
CipherTeamPass = globalEncryptFn(UserAESKey_B, TeamPass)
// Save CipherTeamPass to database with TeamID and UserID_B