SCPS (Secure Cloud Password Splitter)
Overview
SCPS is a password manager that eliminates the problem of the user keeping track of their encryption password. The user's encryption password is generated by and stored through secret sharing amongst the user's cloud storage accounts (Dropbox, Google Drive, OneDrive, Box). The database containing their passwords is then stored in the cloud on 2 services (for backup purposes). The user interface of SCPS is in the form of a Google Chrome Extension.
Details
User authentication
Authentication to the cloud storage services will be done through their Javascript APIs. It will be left up to the user to determine how often they want to be logged out (e.g. once every 24 hours, once a week, upon Chrome restart, etc.). When the user is logged out and needs to log in, the authentication process for all of the cloud storage services is done as seamlessly as possible, by redirecting the user directly from each cloud storage service's log in page to the next. This is done using the redirect URI's that need to be provided to each of the cloud storage services upon successful authentication. The user needs to successfully authenticate at least t cloud storage services, where t is the threshold used in the secret sharing scheme (next section). Below is an overview of how this works:
Make one redirect page for everything - user never stays on this page (always immediately redirected)
User presses "log in", which takes them to the redirect uri which is one big control flow:
start with successful = 0, increment each time an auth is successful
if got here from login, redirect immediately to dropbox auth flow
if got here from dropbox, redirect immediately to gdrive auth flow
if got here from gdrive, redirect immediately to box auth flow
if got here from box, redirect immediately to onedrive auth flow
if got here from onedrive
if successful >= t, redirect to user's home page
else redirect to page that says "sorry, in order to use SCPS you need to
successfully authenticate at least %d cloud storage services", t
Secret sharing scheme
The secret sharing scheme used by SCPS to divide the encryption key amongst the cloud storage services is Shamir's threshold secret sharing. This is a (t,n)-threshold scheme, where n is the number of cloud storage services (4) and t is the minimum number of them needed to successfully reconstruct the secret. The idea is to divide the encryption key into n pieces such that knowledge of t or more pieces makes the key easily computable, and knowledge of any t-1 or fewer pieces leaves the key completely undetermined. The idea behind Shamir's secret sharing is to construct a (t-1)-degree polynomial of the form f(x)=a0+a1x+a2x^2+...+a(t-1)x^(t-1), where a0 is the original key, with the other coefficients being random. Then, a prime p is chosen that is bigger than n and every coefficient. Points are then chosen to be (x, f(x) (mod p)) for x = 1,...,n, and the points are distributed amongst the cloud storage services. The polynomial can then by reconstructed with any t of the points using Lagrange basis polynomials (since t points are sufficient to determine a (t-1)-degree polynomial). Once the polynomial is reconstructed, the coefficient a0 represents the encryption key. This is all done using an open source (released under the MIT license) API, secrets.js (https://github.com/amper5and/secrets.js).
Generating key and encrypting password database
The first step is to generate the 256 bit encryption key with
var key = secrets.random(256);
Next, when a user adds or updates passwords, the new password database is encrypted with AES encryption using the key. The SCPS extension uses the CpryptoJS library (https://code.google.com/p/crypto-js/), which makes AES encyption as simple as
CryptoJS.AES.encrypt(message, key);
Storage of key and password database
The key is split and distributed amongst the user's authenticated cloud storage services using Shamir's secret sharing as described above. The encrypted password database is then stored on Dropbox and Google Drive for backup.
Retrieval of key and password database
First, the shares from at least t cloud storage services must be retrieved, and the polynomial reconstructed to obtain the original encryption key. Next, the password database is retrieved from Dropbox (or Google Drive in the event that Dropbox is down), and decrypted using
CryptoJS.AES.decrypt(encryptedMessage, key);
Usage
Add a constants.js file to the js directory containing constants such as DROPBOX_KEY, BOX_CLIENT_ID, BOX_CLIENT_SECRET, BOX_REDIRECT_URI
Contact
Katelyn Lesse
This project is licensed under the terms of the MIT license.