CryptoVault — A Secure App for Password Management.
Abstract:
Secure password management has become a key part in everybody’s day- to-day life. With the increase in use of internet, each individuals have an average of 20 online accounts on various sites. And to remember different passwords for each account without any trick is nearly impossible. So a user either uses same password for multiple accounts, or user saves separate passwords of different accounts in a diary or digital file. It is also very common that user has short password of length 8 with no special symbol or uppercase or digits in password. These types of password can be decrypted within seconds.
If user use same password for multiple accounts, then if attacker gets password from one account, attacker can easily login to other accounts. Many fake websites gives tempting offer to user so that user creates account to those websites and enters that one same password. Such websites are specially made to collect passwords and then they sell those passwords publicly. Even if site is authenticated, we can’t guess the mechanism through which websites saves password, like some websites saves password in just plain text form, which is highly vulnerable to brute-force attacks.
So it is required that user must have a password which atleast have length 12, special symbols, uppercase characters, digits and lowercase characters. And user must have different passwords for different accounts. Thus, CryptoVault comes in place to generate strong password and securely store them in an encrypted form. CryptoVault uses security mechanisms like biometric authentication like finger print. CryptoVault requires user to remember only one master password which must be strong enough. Using that master password, user can access all other passwords. UI/UX of CryptoVault is very user friendly and CryptoVault uses very strong cryptography algorithms to save passwords.
Keywords: Cryptography, Bcrypt, AES256, Flutter, security principles
Introduction:
Password security has become a huge risk today. There are many websites that collect passwords and sell them publicly. There are many trusted sites who were hacked by hackers and user passwords were stolen. With the advancement in computation, attackers may crack easy 8 characters passwords in a matter of seconds. Storing password in a plain text form is highly vulnerable from anyone.
Therefore, CryptoVault helps its users to generate strong passwords and allow users to store unique passwords of unique sites with one master key to decrypt them. CryptoVault uses security mechanisms like fingerprint and face lock, which enhances security. Keeping user privacy into consideration, CryptoVault saves all passwords in encrypted form on user’s local device which also makes it impossible to unauthentically access from the internet.
Literature Survey:
There are several password management tools available on the internet, but most of them don’t follow higher security standards like strong master password, biometrics and face lock. Some apps that do support it, are not free. Also the UI/UX of all the apps is very complex, which makes it difficult for a normal user to use the app. Many of the apps doesn’t support web support, means that user have to manually copy paste password each time from mobile to PC/laptop, which is very cumbersome.
Technology used:
Mobile App:
i. Flutter
ii. Provider (for central state management)
iii. Shared Preferences (to store basic details)
iv. Database: SQL Lite, Hive (to store data in encrypted form)
Server:
i. Spring Boot
ii.MySQL
Web App:
i. React
Workflow:
Mobile App:
Once the user is authenticated from mobile device, he/she can access passwords and notes from mobile device. User can copy that password in mobile’s clipboard, user can create/update/delete passwords and notes after authentication.
Web App:
The workflow of web app including frontend and backend server is explained in below sequential diagram.
In connection establishment phase, the RSA keypair is generated locally on mobile device as well as browser of the user. And user can verify both public keys using both apps. So once the public keys are exchanged, server cannot read the data present in the encrypted message.
Data transfer uses authorization. The webapp is only allowed to perform activities which mobile app has specified.
The data transfer is secure from attacks like CSRF and XSS. It is achieved using secure cookie with same site settings. Spring security package helps to create more secure app.
ER Diagram:
Conclusion:
As Privacy, Security and Simplicity are the three pillars or CryptoVault, CryptoVault brings solution to secure password management system by the means of mobile app and web support. Users only need to remember on master password and he/she would be able to access the uniquely and strongly generated passwords for each accounts through mobile app as well as web app.
