Comments (7)
Wife's computer or a more of your computers should be fairly easy, just grab Dropbox or any similar service, since the unencrypted data are never committed to the filsystem. Unless I can't read source code that is.
Library computer is worse. I like your idea in general though I'm not sure how good would AES in javascript be. It also seems kind of redundant -- you are already using SSL to protect yourself from network sniffing (and you presumably have your server's fingerprint on a paper with you). It makes sense however if you really don't want to have both data and key on any computer for a long time.
Another way would be to use one time passwords -- generate asymmetrically encrypted data and use OTP to acces it (through SSL and http-basic) and when you session is done, press a button that makes the switch to the next OTP. That requires the remote computer to have the data in plain however.
from kip.
The idea of doing part of the decryption on the server (AES) is that it should defeat any browser caching / logging. It it's just in HTML the browser might write the page to the disk - browsers cache HTTPS content just like HTTP content.
I love the idea of one-time passwords. Maybe a combination of a passphrase and a one-time PIN code. "Web-based methods" here looks possible: http://en.wikipedia.org/wiki/One-time_password#Web-based_methods
from kip.
cherokee admin is using onetime password to secure the admin.
as the side note there is a gpg an attempt to write GPG client in in
JShttps://github.com/GPGTools/Mobile
.
On Fri, Mar 30, 2012 at 7:31 PM, Graham King <
[email protected]
wrote:
The idea of doing part of the decryption on the server (AES) is that it
should defeat any browser caching / logging. It it's just in HTML the
browser might write the page to the disk - browsers cache HTTPS content
just like HTTP content.I love the idea of one-time passwords. Maybe a combination of a passphrase
and a one-time PIN code. "Web-based methods" here looks possible:
http://en.wikipedia.org/wiki/One-time_password#Web-based_methods
Reply to this email directly or view it on GitHub:
#7 (comment)
from kip.
Another option is, at the web cafe, download putty.exe, ssh to your server, and just run kip (with --print option) there.
(some time later, having though about it)... but then the web cafe (which we assume is running a key logger) has your ssh password. Double plus bad.
from kip.
Some thoughts:
- The encrypted kip files themselves do not need protecting. The only thing to protect is your passphrase. We can put encrypted files on a public web server. The secret key be kept secret, but it's CAST5 encrypted with a hash of your passphrase, so actually it's safe too.
- Decrypting GPG files in javascript would be a lot of work. You have to first do radix-64 to go from ascii to binary, then you have to AES decrypt, and finally you have to unzip. I for one am not excited about doing that type of thing in Javascript.
- I couldn't find any windows programs to do the decryption, that you don't need to install. For example putty.exe you download and run. GPG4Win and 7-zip (which does AES) and so on, you need install permissions. And this wouldn't cover iPad / Mac anyway.
- I would love to find a Javacript file that could decrypt something that GPG can make. Any algorithm would do. Then the preparation is kip just decrypts everything with your secret key, re-encrypts it with a "travel" key you choose, and you copy the files to your web server, along with some javascript for the decryption.
- Failing that I think we have to do server-side decryption and transmit the password in the clear (over SSL). You were going to copy that password and type it right into gmail's login box anyway, so we're not adding any risk. We would definitely need one-time passwords, otherwise a key logger would give someone access to all your passwords, not just the gmail one you wanted.
from kip.
It sounds like javascript encryption doesn't add much security over SSL, like wrb mentioned. See Javascript Cryptography Considered Harmful. We can set headers to ask the browser not to cache the page.
Interesting discussion about key loggers at security.stackexchange.com. In short if you can't trust the client (web cafe machine), you shouldn't log in.
That said, there seems to be two ways to have secure login from an untrusted computer:
- Two-factor authentication. Combining "something you know", which is your passphrase, with "something you own", usually a physical security token, such as a SecurID. The Yubikey looks cool, but it requires USB port access and, well, I don't think we can expect people to buy a device to use kip.
- One time passwords. This is great, but I can't think of a way to manage it. You can't memorise them all.
- Do you print out a big list and carry it around with you? That works for a short time, like a vacation, but not for random access on my wife's computer.
- Do you use sentences from a book, like in a spy novel? You would only need to capture a couple of sentences for Google to find the matching book.
Unless we can come up with an elegant way of making one-time passwords, I think we should drop the requirement to be secure on an insecure client (web cafe), and focus on allowing access on a trusted machine (wife's laptop, friends house) which doesn't have kip / gpg on it. That's a much simpler scenario. As long as we're over SSL, we can ask for the secret key's passphrase.
GPG allows you to change your passphrase without changing your secret key, the passphrase just encrypts your secret key.
from kip.
Pull request in #11
from kip.
Related Issues (14)
- Bash autocomplete of filename
- Support multiple config files
- Make stand-alone script
- List/search my stored passwords HOT 2
- Don't recommend commands with the password in them HOT 2
- Nicer error messages HOT 5
- Don't create invalid files HOT 1
- Edit changes filename to filepart
- Exception if edit used with non-existent entry HOT 1
- Exceptions raised if commands are run without filepart argument
- Structured info in the encrypted file HOT 2
- Paste to clipboard from remote ssh
- Edit / Amend username and notes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kip.