Encryption

Warning

If you already use a sysPass version <= 2.0, it’s advisable to update to 2.1 version in order to use the new security improvements on the encryption mechanisms (CVE-2017-5999)

sysPass encryption is based on AES-256 in CTR mode by using the PHP OpenSSL module. It uses the Defuse/php-encryption library for the encryption modules and functions management.

The encrypted data (up to 2.0 version) are:

  • Accounts’ passwords
  • Custom fields data
  • sysPass XML format export

In order to use the application, for the first time, it will be needed to know either the master key or the temporary master key (see Temporary Master Key), because a Blowfish generated hash with a salt generated by using the MCRYPT_DEV_URANDOM random number generator, is the only saved. For the Blowfish hash generation a cost of 10 is used for the algorithm iterations

After log in with the master key, it’s stored in the user’s data. For its encrypted storage a password protected secure key is generated, by using the user’s password, login and a salt generated using openssl_random_pseudo_bytes that is stored in the sysPass configuration within the tag “passwordSalt”.

On the following logins the mater key is retrieved from the user’s data and decrypted by using the user’s password and login, besides the sysPass configuration salt. This key is stored in the user’s session by encrypting with a Blowfish generated key from the PHP session and the session start time in UNIX format.

Note

Session key is regenerated every 120 seconds.

When the master key is changed it will be requested to every user the new master key or a temporary master key (see Temporary Master Key).

If an user changes its login password, in the next login he will be requested for the previous password in order to get the master key. If the master key couldn’t be retrieved, it will be requested.

Temporary Master Key

A temporary master key could be generated to be used by the application users, so it won’t be needed to tell the real master key.

For the temporary master key generation the real master key is used by encrypting it within a secure key generated key by using openssl_random_pseudo_bytes, which Blowfish hash is stored in the database “config” table.

Note

For the temporary master key checking a Blowfish generated hash is the only used

PKI

In order to improve the security of the sent data, PKI is being used to encrypt the passwords that are being sent from the application forms.

The public and private keys are generated within the application “config” directory.

Diagrams

Login Process

@startuml

start

:Login;

:Get user data;

:Retrieve the encrypted master key;

note right
  Generated a secure key protected by a password using:
  password + login + hash
end note

if (Does it have the key saved?) then (Yes)
  :Decrypt the master key;
else (No)
  :Login;

  :Request master key;

  if (Is it a temporary master key?) then (Yes)
    :Verify;
  else (No)
    :Verify master key;
  endif
endif

:Encrypt and save in the user's session;

note right
  Generated a secure key protected by a password using:
  session_id + sid_start_time
end note

stop

@enduml

Master Key Process

@startuml

start

:New master key;

:Begin SQL transaction;

:Decrypt accounts
and encrypt them again;

:Decrypt accounts history
and encrypt them again;

:Decrypt custom fields
and encrypt them again;

if (Is there any error?) then (Yes)
  :Rollback transaction;

  :Display error and finalize;
else (No)
  :Finalize SQL transaction;

  :Generate a Blowfish hash an save it in the DB;

  note right
    Saved in the config table.
  end note

  :Update generation date in the DB;

  note right
   It forces to all users to change the master key
  end note

  :Send email;
endif
stop

@enduml

Temporary Master Key Process

@startuml

start

:Retrieve the master key from the session;

:Generate password protected key for
encrypting the master key;

note right
  Generated from a password using:
  random_hash + config_salt
end note

:Save encrypted in the DB;

note right
 Saved in the config table.
end note

:Generate a Blowfish hash and save it in the BD;

note right
 Saved in the config table.
end note

:Display the encryption key
in the current session;

note right
 It's deleted on log out
end note

:Send email;

stop

@enduml

PKI Process

@startuml

== Initialization ==
Client -> Server: Requests environment data within PKI
Server --> Client: Sends the public key

note right
  Key pairs (public and private)
  are created if not exists
end note

== Sending form data ==

Client -> Server: Sends password data encrypted

note left: Using public key within Javascript

Server --> Client: Decrypts the password, stores it and sends response

@enduml

Warning

Be aware that the highest security risk is in the users themselves, because a compromised password could cause a security leak.

A sysPass comprised server could be dangerous if the database is placed with the webserver, because the network data could be sniffed so the passwords would be revealed.