A couple of discussions from Cryptography Stack Exchange led to exploring cryptography. In addition, I ran into KeePass and 1Password's white paper and started coding for practice. The goal is to implement purely with Java crypto initially, then move to other libraries when I get a better understanding basic crypto.
This project is a crypto tool that uses public/private keys with an additional symmetric key for encryption and decryption. keevault is a standalone, Java thick-client that provides the UI for the user to encrypt/decrypt key-value model data. The encrypted payload along with the user's key set are stored locally in the user's home directory. All encryption and decryption occurs locally on the user's machine; therefore, the crypto for keevault does not address related risks with "across the wire" data transmission.
Keevault is a standalone, thick-client application that runs on the user's local machine. Application data is saved in $HOME/.keestore and includes:
logs- Application logskeevault_registration- User registration details that includes the crypto keys<uniqueid>file - The encrypted storage for data inputs into the UI (i.e.$HOME/.keestore/ce8d6e3b-7791-497d-9310-0dd94ee50ed6)
The user creates a "vault" which is just a basic bin for one or more key-value items that are saved encrypted. The user can create many vaults and each vault will have a unique identifier that is hidden from the user; therefore, a user can have a vault with the same name. However, vault items within a single vault must have a unique key.
Below are links to the built distributions in various formats (provided by Dropbox):
- Mac keevault-0.2.dmg
- Linux/Windows keevault-0.2.tar
- Linux/Windows keevault-0.2.zip
On the first run, the user will obtain an RSA key pair and a symmetric key. The current implementation uses RSA 2048 bit keys and AES128 with an 16-byte initializing vector. User keys are stored as a 'registration' json object in $HOME/.keestore/keevault_registration.
"publicKey":(encoded),
"privateKey":(encoded),
"secretKey":(encrypted via publicKey),
"salt":(random 8-byte salt)
"itemId":(unique registration identifier)
"itemName":"registration",
}
Encryption occurs on the user's key-value data models. The IV will be packaged/prepended to the encrypted data and this payload is the encrypted payload.
- Sign the original, unencrypted payload
- Encrypt the payload via the
secretKey - Encrypt
secretKeyvia thepublicKey - Create an encrypted datastore in json format
{
"signature":(encoded),
"payload":(encrypted),
"secretKey":(encrypted symmetric key),
"itemName":"encrypted",
"itemId":(unique identifier)
}
Decryption occurs on the local encrypted datastore and loaded into the UI. The IV is extracted from its expected location and used to obtain the decrypted payload.
- Decrypt
secretKeyusing the user'sprivateKey - Decrypt
payloadusing the decryptedsecretKey - Compare
signature
Gradle builds the application and uses the following plugins to build distributable artifacts.
- Gradle
distribution - Spring
spring-boot - crotwell MacApp Bundle
gradle clean build
Navigate to keevault/build/distributions where there will be the following files for running keevault in Mac/Unix/Windows environments:
dmgfile to install and run in Mac OSXtarfile packaged with the Unix and Windows runscripts along with all necessary dependencieszipfile which contains the same contents as thetarfile