Encryption¶
Warning
If you already use a sysPass version <= 2.0, it’s advisable to update to 2.1 version in order to use the new security improvements on the encryption mechanisms (CVE-2017-5999)
sysPass encryption is based on AES-256 in CTR mode by using the PHP OpenSSL module. It uses the Defuse/php-encryption library for the encryption modules and functions management.
The encrypted data (up to 2.0 version) are:
- Accounts’ passwords
- Custom fields data
- sysPass XML format export
In order to use the application, for the first time, it will be needed to know either the master key or the temporary master key (see Temporary Master Key), because a Blowfish generated hash with a salt generated by using the MCRYPT_DEV_URANDOM random number generator, is the only saved. For the Blowfish hash generation a cost of 10 is used for the algorithm iterations
After log in with the master key, it’s stored in the user’s data. For its encrypted storage a password protected secure key is generated, by using the user’s password, login and a salt generated using openssl_random_pseudo_bytes that is stored in the sysPass configuration within the tag “passwordSalt”.
On the following logins the mater key is retrieved from the user’s data and decrypted by using the user’s password and login, besides the sysPass configuration salt. This key is stored in the user’s session by encrypting with a Blowfish generated key from the PHP session and the session start time in UNIX format.
Note
Session key is regenerated every 120 seconds.
When the master key is changed it will be requested to every user the new master key or a temporary master key (see Temporary Master Key).
If an user changes its login password, in the next login he will be requested for the previous password in order to get the master key. If the master key couldn’t be retrieved, it will be requested.
Temporary Master Key¶
A temporary master key could be generated to be used by the application users, so it won’t be needed to tell the real master key.
For the temporary master key generation the real master key is used by encrypting it within a secure key generated key by using openssl_random_pseudo_bytes, which Blowfish hash is stored in the database “config” table.
Note
For the temporary master key checking a Blowfish generated hash is the only used
PKI¶
In order to improve the security of the sent data, PKI is being used to encrypt the passwords that are being sent from the application forms.
The public and private keys are generated within the application “config” directory.
Diagrams¶
Login Process¶
Master Key Process¶
Temporary Master Key Process¶
PKI Process¶
Warning
Be aware that the highest security risk is in the users themselves, because a compromised password could cause a security leak.
A sysPass comprised server could be dangerous if the database is placed with the webserver, because the network data could be sniffed so the passwords would be revealed.