What I would like to do is create a small client/server web application that will store all usernames, passwords, urls and the type. The type would be email/instant messenger/website etc. I'd also like to build in support for categories.
So this is a fairly simple application. What I would like some help with from the community is nailing down the security aspect.
In my case the database would reside on my local machine so I'm not incredibly worried about security. But if I or someone else decided to throw a version onto a server I'd like to keep the passwords secure even over an unencrypted connection by never sending them over the wire in plain text.
I believe this can be accomplished with Javascript. Basically it would work like this..
Saving a password:
- User enters in a master encryption key. (Master password or phrase)
- User enters username, password, url and selects a category
- User presses submit button to save data which fires a javascript event
- Javascript code encrypts the password using the encryption key
- Javascript code base64's the encrypted password to prevent sending of binary data
- Javascript code creates a 1 way hash of the encryption key, possibly using a salt
- Form is submitted to the server
- Server verifies that the encryption key hash matches what was posted, in order to prevent lost passwords from mistyped encryption keys.
- Server saves all data. The encrypted password will be saved in a text or blob field.
- User finds the account they need a password for and submits a password request.
- Server responds by sending the username, url and base64'd encrypted password
- User enters the master encryption key and presses submit
- Javascript uses the key to decrypt the password and updates the existing webpage.
I have an encryption function (RC4) that I posted below. If anyone has ideas or would like to help that would be great.
Code: Select all
function encrypt($pwd, $data) {
$pwd_length = strlen($pwd);
$x = $Zcrypt = $j = $a = null;
for ($i = 0; $i <= 255; $i++)
{
$key[$i] = ord(substr($pwd, ($i % $pwd_length)+1, 1));
$counter[$i] = $i;
}
for ($i = 0; $i <= 255; $i++)
{
$x = ($x + $counter[$i] + $key[$i]) % 256;
$temp_swap = $counter[$i];
$counter[$i] = $counter[$x];
$counter[$x] = $temp_swap;
}
for ($i = 0; $i < strlen($data); $i++)
{
$a = ($a + 1) % 256;
$j = ($j + $counter[$a]) % 256;
$temp = $counter[$a];
$counter[$a] = $counter[$j];
$counter[$j] = $temp;
$k = $counter[(($counter[$a] + $counter[$j]) % 256)];
$Zcipher = ord(substr($data, $i, 1)) ^ $k;
$Zcrypt .= chr($Zcipher);
}
return $Zcrypt;
}