Comments (5)
Storing in memory would seem to me to be a much better option.
Anyone using firefox sync (example) for password already needs to type the master password when the browser restarts and it is not that big of a deal, especially considering the security gain.
from clients.
Overview
Well this idea would require the user to always enter their password in offline mode, but what if you encrypted the encryption key in chrome.storage with yet another key that was stored on your server. This way you wouldn't be storing their password or anything. In fact you could probably use hmac with a rotating secret also stored somewhere in chrome.storage so the keys in your db wouldn't directly decrypt anything either -- not sure that really add any security though.
Use Cases
Bear in mind I haven't really gone over your architecture / work flows so I'm sure this will have to be modified some.
Initial login
- User supplies password and decrypts master pass successfully
- Client sends request-for-encryption-key message to the server along with client id (to allow various browsers/oses/etc to each independently encrypt their local encryption key)
- Server generates a random secure string
- use securerandom to just generate a 256 char string or something
- also generate a verification string
- saves it in the database along with the account and client ids, and maybe a timestamp of when it was generated
- the secure string and verification strings are sent back to the client
- Client stores the verification string in local storage
- Client generates their own secure string and stores it somewhere in storage
- Client uses hmac with the provided key from the server as the message and their privately stored secure string as the key to generate a new encryption key
- Encrypted key is encrypted with the key from the previous step and stored into storage
Browser startup -- decryption attempt
- Client recognizes that the encrypted key is stored locally
- Contacts server requesting the previously generated key for their client id and verification string
- Server looks up entries in db to find existing entry
- No entry is found or verification string doesn't match:
- Return no-key-found message to client
- Client flushes the stored encrypted-encrypted-key, verification key, and hamc-key
- Client performs steps in
Initial login
use case
- Entry is found:
- Server could do additional checking here like:
- Maybe look for login country and only return if it's the same country they requested the enc key from initially
- See if there is too much activity from that IP -- would have issues with corporations, proxies, public wifi, etc... maybe basic ip reputation from somebody like proofpoint or something would work? Probably more trouble than this is worth honestly. Maybe somebody has better ideas here.
- Do some sort of timeout where the user is forced to re-enter password. Could be client specified option maybe? Also maybe have a way for the client to behind-the-scenes "renew" the password and refresh the expiration date?
- Implement 2-factor auth at this stage if the user wants it
- Any check from above fails:
- Send message regarding why it failed
- Client flushes the stored encrypted-encrypted-key, verification key, and hamc-key
- Client displays "failure" to user and proceeds to
Initial login
use case
- All checks passed
- Send stored secure-string to client
- Client looks up mac key in storage
- hashes the received secure string with the locally stored secure string as the key
- Decrypts the locally stored enc key and proceeds as normal
- Server could do additional checking here like:
Other notes
I suppose in theory you could provide the user with a Warning! Danger! option where you could still store the encryption key locally so offline mode would work... how much rope do you want to give them exactly?
Might be worth it to store where the decryption asks come from as well so if you eventually detect some suspicious behavior from ip x
you can just invalidate anything that they touched and/or contact the users with a warning.
I just typed this out without giving it too much thought and given the sensitive nature of the subject should definitely be given some more serious thought.
from clients.
This is just a general observation, but: no password manager that I have used has a UX that allows unchallenged access to encrypted content after a fresh start of the app. I like this, because it means if I quit the app, I don't have to stop and think about if I locked it or not.
So, when I read:
One option would be not to store the key at all, keeping it only in memory, however, that would require the user to re-enter their master password every time their browser was restarted.
The immediate thought in my head is that this sounds like a feature, not a regression. I would actually like to be able to enforce this behavior even if the tab so much as closes.
from clients.
Adding in the option for not storing the encryption key should be pretty easy to implement. I'll look into prioritizing this and creating a formal issue for it.
from clients.
This has now been resolved with the new "lock options" feature of v1.2.0. Setting the lock options to anything other than "Never" will result in your encryption key only being held in memory of the browser session. It will no longer write to disk using chrome.storage
.
Also note that when your extension is in a locked state (signified by the red lock on the bitwarden extension icon) the encryption key is also purged from memory (which is why you must enter in your master password again to unlock).
https://github.com/bitwarden/browser/releases/tag/v1.2.0
from clients.
Related Issues (20)
- Can't switch server HOT 2
- Username generator doesn't show the user the generated alias HOT 1
- 👉🏻 Hackear Instagram de Forma Segura e Eficiente (github)
- Extension closes instead of unlocking on enter key press
- Always error "Logout before server config update" when CLI run in systemd service HOT 4
- Can't set custom Vault Timeout HOT 3
- Multiple BW Icons on MacOS dock when using suggested apps HOT 1
- "Unlock" doesn't work on desktop app HOT 1
- Delay when Server is offline HOT 9
- Missing textures in desktop client HOT 2
- getShadowRoot Browser hangups HOT 5
- Password Fail After Yubikey Enrolement, Paid Sub, and Increase Iterations HOT 1
- Desktop release 2024.7.0 rolled back? HOT 4
- Infinite options in username generation for "Catch-all" option HOT 2
- Bitwarden covering select field that is not a password, preventing proper input HOT 2
- Firefox Extension does not "Remember email" when it is enabled HOT 1
- Biometric authentication for the extension has stopped working for more than a week HOT 1
- Biometrics not supported alert HOT 2
- Random password generators never shows the digits zero or one (0, 1) HOT 2
- Firefox extension shows verification code without reentering credentials HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clients.