(Legacy) KPassC Documentation
Document remains available for legacy users of KPassC
KPassC is a free ware software application which offers security for end user credentials.
The specialise software equips its end users to deploy cryptographic security over
valuable contents such as workstation textual notes, account login credential information
and also serves as a bookmarker to store universal resource identifiers (URIs) commonly
abbreviated as URLs and/or web addresses.
Its aim is to simplify the use of cryptographic technology to secure information locally which is of frequent use, provide an interface where such information can be easily accessed and which encourages the use of multiple distinct passwords by remembering one strong password we denote as a master key.
This encourages end users to remember one password whilst using multiple distinct passwords for all web services and accounts they may use each day.
Over half of everyday internet users in 2013 still use the same password for every account
login and for security this poses a significant problem when this password exists within the
wild. Ofcom, a UK communications watchdog described the issue as appalling (Naked
Security, 2013). There are numerous articles which document the wide increase in cyber
attacks taking place which is expected to continue as more and more communities adopt
cyber infrastructure into their societies (Uk.reuters.com, 2014) (Theregister.co.uk, 2014).
The growth of a digital economy which is replacing a traditional economy brings with it
traditional risks. Risks such as theft which have always been a risk to society no doubt
exist within digital economies, the protection from which resides solely upon security
counter measures to protect account credentials.
An issue with the research performed by Ofcom to which 55% of internet consumers using the same password for multiple web accounts is that should one database which serves a web service be compromised, many distinct web services are at risk if a majority of the user base are using the same password on these other web services which are governed by their own distinct database.
It is not uncommon within the industry to hear of victims who had their email address compromised to suddenly find that many other accounts belonging to the same account holder were also compromised in the same attack. Should any account type be that of a financial account then the consequences can be severe in addition to a severe violation of a victims human rights.
1.2 Privacy and Encryption
Privacy is a corner stone of human rights legislation. It aids individuals in democratic
states to go about their business without outside interference. Encryption in the digital age
is unfortunately a necessity to safe guard this human right and prevents eavesdropping by
competitors and others who pose a threat to the well-being of an individual or the success
of a legitimate business, in the latter these are denoted as trade secrets which need be
In business, one must safe guard their intellectual property against those who wish them economic harm. Likewise individuals have the right not to disclose every minute detail of themselves to others without their consent.
Those who oppose the right to privacy with the argument "nothing to hide, nothing to worry about" are the reason why true democratic states uphold the right to privacy and the reason it was included in human rights legislation, article 8. We only have to look back at history post WW2 to acknowledge why hence the drafting of the human rights act which includes privacy as a vital necessity for citizens to protect themselves from third party interference; the same reason mail is addressed to its owners and protected by democratic law.
KPassC allows you to manage credentials locally and optionally offers a cloud facility for
those who require it. Note that cloud support is optional and support within the client
allows you to develop your own as detailed in section 2 should you require this
Alternative solutions use commercialised database systems to manage many users thus your information is subject to being sold to third parties in addition to them monitoring your use of the web with browser plug-ins. With KPassC you are free of all these concerns since you are given the client to use on your own computer governed by your own security solution.
KPassC is a software application which does not interface with your web browser. Thus you have total control over your data without the use of complex routines, database administration or invasive browser add-ons.
KPassC is a cross-platform software application that can be run on Microsoft Windows and Linux operating systems. It comes equipped with an effective graphical user interface which is user friendly to manage any credentials which will eventually populate the data structure.
The search bar facilitates filtering numerous entries should you ever get to the stage
where you possess many hundreds of items thus you can obtain specific items quickly by
providing title specific keywords and the filter also checks for the existent of sub strings
within titles. Consideration into the software engineering and time complexity of data
structure design has been tested robustly to ensure speed is never an issue once size()
runs into the tens of thousands.
The search takes place in real time thus just type to begin a filtered search and remove the terms to remove the filter or alternatively click the corresponding brush metaphor button situated to the right of the search bar. Entries may also be filtered by one of the many folders you are able to create and these are visible in the left column widget on the main interface which may be selected by the mouse.
Should items ever need be located which possess a specific email address then special filters have been implemented which allow you to delimit these entries. To search for all login accounts with a specific email address, you may use the form in the search bar:
Which will yield a results list of ALL accounts which have an email address field value
equal to the input: email@example.com
You may wish to locate clear-text in an encrypted note, to do this you may use the form:
Which will yield a results list of encrypted text messages where the textual expression is evident in its clear-text.
2.1 Eavesdropping and Idle Computers
Items within KPassC are only decoded when needed thus the data structure resides in
memory in an encrypted state thus no other process on the same computer can eavesdrop
on their contents from within memory.
Should a computer be left unattended, KPassC periodically locks itself into the system tray after 3 minutes of in-activity thus will require the input of the cipher key to unlock. If the key given is incorrect, the clear-text value of item contents will not be decipherable thus leaving your computer to sit idle will not inherit a threat since the software will automatically lock itself away from harms reach.
Passwords are always masked by default when selecting a login type item from the client software. You may unmask the password field by clicking the asterisk metaphor button or simple click the copy button which will place the password into clipboard memory. After a short duration, this clipboard memory will be restored to its prior contents. This can be ideal should you be using KpassC in the presence of others since the password field will need not be visible on screen.
2.2 Data Format and Export Support
You may review the data structure data by clicking the Tools menu and selecting Local Cache and choosing Export from the sub menu. By observing this data dump, it will appear as a meaningless data dump to inexperienced users.
This data is simply a base64 dump. You may use a base64 decoder to revert this base64 encoding to a decipherable clear-text. On a Linux terminal you may use the form:
… where data_dump.xml is the base64 encoding and decoded_clear_text.txt is the
decoded clear text for further examination.
Within the decoded_clear_text.txt, you will see on the second line a unique string beginning with the sub string <kpassc. Within this sub string exist three useful attributes which mean the following:
|updateTime||The unix time of the last data change within the data structure|
|genTime||The unix time equal to the time when the data was generated|
|datumCount||The number of item entries within the entire data structure|
Next in the data dump are a series of folder strings, one equal to one folder thus the
number of folder lines is equal to the number of folders defined within the client. From this
point forth all attribute values are encoded in base64. Decoding these singleton encodings
within the attribute quotations will reveal cipher texts.
Beware that you cannot decode the cipher text without a functional copy of the LDCa algorithm, a correct alphabet pre-set and a unique key which inherits the correct mathematical properties used to encode an initial clear-text to produce the evidential cipher texts.
Following all lines beginning with the sub string <folder will follow all item entries beginning with the sub string <datum.
Note that all time stamps within the XML data dump use Unix time and are relative to UTC time coordinated.
2.3 Autonomous Data Dispatching
Familiar users will have noticed the cloud detail dialogue which exists to support synchronisation of the data structure in real time should the feature be needed.
The software utilises a TCP/IP socket where if the details are fulfilled in this dialogue, a
synchronisation process will take place every 3 minutes. This is incredibly valuable if you
find yourself working on many distinct operating systems or computers. You may rely
upon this robustly tested feature to safely and securely transit your ciphers to all clients
with the correct synchronisation details.
You will see that it is possible for an entry programmer to create their own cloud facility to a remote database lookup utility by creating a simplistic daemon which can read and write data onto the endpoint of the client TCP/IP socket.
The default values kpc://nullox.kpassc and port 80/443, you may change them to fit your needs. Whilst in production, you are strongly encouraged to adopt SSL for your business thus use port 443 which will invoke a secure socket to handle data exchange.
The bottom right area of the toolbar displays the time since the last synchronisation
operation took place. The timing of this operation cannot be changed albeit we may
introduce a setting in the future to facilitate timing change. In our testing we have found 3
minutes to be ideal even when ciphers are shared amongst many members working within
the same organisation which need coordinate real-time sensitive data IO.
Upon a synchronisation operation, a HTTPS POST takes place where the data is posted to a remote web service. REST parameters are of the form:
|DATAXML||Encrypted Data Structure|
As mentioned in section 2.3, an updateTime attribute exists in the XML data which stores a
Unix time stamp equal to the last data change made to the data structure model within the
client. You may use this metric to determine whether the HTTP POST warrants a READ or
WRITE operation upon a remote database.
It is wise not to modify the contents of the $_POST['DATAXML'] on either a READ or WRITE operation since its contents is checked by the client to determine whether the data format is verifiable and secondly whether the internal data structure within the client is to be updated with the returned data by the web service.
- Naked Security, (2013). 55% of net users use the same password for most, if not all, websites. When will they learn?
- Theregister.co.uk, (2014). Freenode IRC users told to change passwords after securo-breach.
- Theregister.co.uk, (2014). Leak of '5 MEELLLION Gmail passwords' creates security flap.
- Uk.reuters.com, (2014). EBay asks 145 million users to change passwords after cyber attack