(Legacy) KPassC Documentation

Document remains available for legacy users of KPassC

Introduction

KPassC is a free ware software application which offers security for end user credentials. The specialise software equips its end users to deploy cryptographic security over valuable contents such as workstation textual notes, account login credential information and also serves as a bookmarker to store universal resource identifiers (URIs) commonly abbreviated as URLs and/or web addresses.

Its aim is to simplify the use of cryptographic technology to secure information locally which is of frequent use, provide an interface where such information can be easily accessed and which encourages the use of multiple distinct passwords by remembering one strong password we denote as a master key.

This encourages end users to remember one password whilst using multiple distinct passwords for all web services and accounts they may use each day.

1.1 Motivation

Over half of everyday internet users in 2013 still use the same password for every account login and for security this poses a significant problem when this password exists within the wild. Ofcom, a UK communications watchdog described the issue as appalling (Naked Security, 2013). There are numerous articles which document the wide increase in cyber attacks taking place which is expected to continue as more and more communities adopt cyber infrastructure into their societies (Uk.reuters.com, 2014) (Theregister.co.uk, 2014). The growth of a digital economy which is replacing a traditional economy brings with it traditional risks. Risks such as theft which have always been a risk to society no doubt exist within digital economies, the protection from which resides solely upon security counter measures to protect account credentials.

An issue with the research performed by Ofcom to which 55% of internet consumers using the same password for multiple web accounts is that should one database which serves a web service be compromised, many distinct web services are at risk if a majority of the user base are using the same password on these other web services which are governed by their own distinct database.

It is not uncommon within the industry to hear of victims who had their email address compromised to suddenly find that many other accounts belonging to the same account holder were also compromised in the same attack. Should any account type be that of a financial account then the consequences can be severe in addition to a severe violation of a victims human rights.

1.2 Privacy and Encryption

Privacy is a corner stone of human rights legislation. It aids individuals in democratic states to go about their business without outside interference. Encryption in the digital age is unfortunately a necessity to safe guard this human right and prevents eavesdropping by competitors and others who pose a threat to the well-being of an individual or the success of a legitimate business, in the latter these are denoted as trade secrets which need be protected.

In business, one must safe guard their intellectual property against those who wish them economic harm. Likewise individuals have the right not to disclose every minute detail of themselves to others without their consent.

Those who oppose the right to privacy with the argument "nothing to hide, nothing to worry about" are the reason why true democratic states uphold the right to privacy and the reason it was included in human rights legislation, article 8. We only have to look back at history post WW2 to acknowledge why hence the drafting of the human rights act which includes privacy as a vital necessity for citizens to protect themselves from third party interference; the same reason mail is addressed to its owners and protected by democratic law.

1.3 Benefits

KPassC allows you to manage credentials locally and optionally offers a cloud facility for those who require it. Note that cloud support is optional and support within the client allows you to develop your own as detailed in section 2 should you require this functionality.

Alternative solutions use commercialised database systems to manage many users thus your information is subject to being sold to third parties in addition to them monitoring your use of the web with browser plug-ins. With KPassC you are free of all these concerns since you are given the client to use on your own computer governed by your own security solution.

KPassC is a software application which does not interface with your web browser. Thus you have total control over your data without the use of complex routines, database administration or invasive browser add-ons.

2 KPassC

KPassC is a cross-platform software application that can be run on Microsoft Windows and Linux operating systems. It comes equipped with an effective graphical user interface which is user friendly to manage any credentials which will eventually populate the data structure.

The search bar facilitates filtering numerous entries should you ever get to the stage where you possess many hundreds of items thus you can obtain specific items quickly by providing title specific keywords and the filter also checks for the existent of sub strings within titles. Consideration into the software engineering and time complexity of data structure design has been tested robustly to ensure speed is never an issue once size() runs into the tens of thousands.

The search takes place in real time thus just type to begin a filtered search and remove the terms to remove the filter or alternatively click the corresponding brush metaphor button situated to the right of the search bar. Entries may also be filtered by one of the many folders you are able to create and these are visible in the left column widget on the main interface which may be selected by the mouse.

Should items ever need be located which possess a specific email address then special filters have been implemented which allow you to delimit these entries. To search for all login accounts with a specific email address, you may use the form in the search bar:

email:name@domain.ext

Which will yield a results list of ALL accounts which have an email address field value equal to the input: name@domain.ext

You may wish to locate clear-text in an encrypted note, to do this you may use the form:

intext:clear text expected in any encrypted note item

Which will yield a results list of encrypted text messages where the textual expression is evident in its clear-text.

2.1 Eavesdropping and Idle Computers

Items within KPassC are only decoded when needed thus the data structure resides in memory in an encrypted state thus no other process on the same computer can eavesdrop on their contents from within memory.

Should a computer be left unattended, KPassC periodically locks itself into the system tray after 3 minutes of in-activity thus will require the input of the cipher key to unlock. If the key given is incorrect, the clear-text value of item contents will not be decipherable thus leaving your computer to sit idle will not inherit a threat since the software will automatically lock itself away from harms reach.

Passwords are always masked by default when selecting a login type item from the client software. You may unmask the password field by clicking the asterisk metaphor button or simple click the copy button which will place the password into clipboard memory. After a short duration, this clipboard memory will be restored to its prior contents. This can be ideal should you be using KpassC in the presence of others since the password field will need not be visible on screen.

2.2 Data Format and Export Support

You may review the data structure data by clicking the Tools menu and selecting Local Cache and choosing Export from the sub menu. By observing this data dump, it will appear as a meaningless data dump to inexperienced users.

This data is simply a base64 dump. You may use a base64 decoder to revert this base64 encoding to a decipherable clear-text. On a Linux terminal you may use the form:

base64 -d data_dump.xml > decoded_clear_text.txt

… where data_dump.xml is the base64 encoding and decoded_clear_text.txt is the decoded clear text for further examination.

Within the decoded_clear_text.txt, you will see on the second line a unique string beginning with the sub string <kpassc. Within this sub string exist three useful attributes which mean the following:

updateTime The unix time of the last data change within the data structure
genTime The unix time equal to the time when the data was generated
datumCount The number of item entries within the entire data structure

Next in the data dump are a series of folder strings, one equal to one folder thus the number of folder lines is equal to the number of folders defined within the client. From this point forth all attribute values are encoded in base64. Decoding these singleton encodings within the attribute quotations will reveal cipher texts.

Beware that you cannot decode the cipher text without a functional copy of the LDCa algorithm, a correct alphabet pre-set and a unique key which inherits the correct mathematical properties used to encode an initial clear-text to produce the evidential cipher texts.

Following all lines beginning with the sub string <folder will follow all item entries beginning with the sub string <datum.

Note that all time stamps within the XML data dump use Unix time and are relative to UTC time coordinated.

2.3 Autonomous Data Dispatching

Familiar users will have noticed the cloud detail dialogue which exists to support synchronisation of the data structure in real time should the feature be needed.

The software utilises a TCP/IP socket where if the details are fulfilled in this dialogue, a synchronisation process will take place every 3 minutes. This is incredibly valuable if you find yourself working on many distinct operating systems or computers. You may rely upon this robustly tested feature to safely and securely transit your ciphers to all clients with the correct synchronisation details.

You will see that it is possible for an entry programmer to create their own cloud facility to a remote database lookup utility by creating a simplistic daemon which can read and write data onto the endpoint of the client TCP/IP socket.

The default values kpc://nullox.kpassc and port 80/443, you may change them to fit your needs. Whilst in production, you are strongly encouraged to adopt SSL for your business thus use port 443 which will invoke a secure socket to handle data exchange.

The bottom right area of the toolbar displays the time since the last synchronisation operation took place. The timing of this operation cannot be changed albeit we may introduce a setting in the future to facilitate timing change. In our testing we have found 3 minutes to be ideal even when ciphers are shared amongst many members working within the same organisation which need coordinate real-time sensitive data IO.

Upon a synchronisation operation, a HTTPS POST takes place where the data is posted to a remote web service. REST parameters are of the form:

FIELD VALUE
EMAILADDR_S Email Address
PASSWD Password
DATAXML Encrypted Data Structure

As mentioned in section 2.3, an updateTime attribute exists in the XML data which stores a Unix time stamp equal to the last data change made to the data structure model within the client. You may use this metric to determine whether the HTTP POST warrants a READ or WRITE operation upon a remote database.

It is wise not to modify the contents of the $_POST['DATAXML'] on either a READ or WRITE operation since its contents is checked by the client to determine whether the data format is verifiable and secondly whether the internal data structure within the client is to be updated with the returned data by the web service.

Reference(s)

  1. Naked Security, (2013). 55% of net users use the same password for most, if not all, websites. When will they learn?
  2. Theregister.co.uk, (2014). Freenode IRC users told to change passwords after securo-breach.
  3. Theregister.co.uk, (2014). Leak of '5 MEELLLION Gmail passwords' creates security flap.
  4. Uk.reuters.com, (2014). EBay asks 145 million users to change passwords after cyber attack




© Nullox 2019