Tuesday, January 9th, 2007

PassPack and aSSL

Category: Security

Francesco Sullo’s day job is to work on PassPack an online password manager.

PassPack is based on the Host-Proof Hosting Ajax Pattern.

How it works

PassPack uses a double access technique: User ID and Pass give a user access to her Account, while the Packing Key is needed to access the actual passwords. The “Pack” in PassPack comes from the bundle of locked up passwords inside the Account. PassPack checks the User ID and Pass at sign-in without exposing the passwords in the encrypted Pack.

Only the user can encrypt and decrypt the passwords in the browser with her Packing Key. The Packing Key never travels over the Internet. The encrypted Pack gets sent over SSL to the server for storage.



Francesco works on aSSL in his spare time, and just released another new version with Javascript/ASP server-side component (PHP and others pending).

aSSL now works with the following process:

  • The browser calls the server to start the process.
  • The server returns its RSA modulus (e.g. the public key) and the public exponent (3 or 10001).
  • The browser generates a random exchange 128-bit key, encrypts it using the server public key and passes the encrypted exchange key to the server.
  • The server receives this encrypted 128-bit exchange key, decrypts it with its private key and, if the result is ok, returns the session duration time.
  • The browser receives the session duration time and sets a timeout to maintain alive the connection.

All subsequent client-server exchanges via aSSL are encrypted and decrypted using the AES Rijndael algorithm.

aSSL 1.2 uses Tom Wu’s BigIntegers and RSA in JavaScript to negotiate the secret 128-bit key and Chriss Veness’s AES Javascript implementation for the next exchanges.

Posted by Dion Almaer at 9:52 am

4.1 rating from 25 votes


Comments feed TrackBack URI

This is extremely cool, I’ve been waiting for something like this for a long time. I can’t wait to do away with SSL. Thanks for the link.

Comment by Jason Kolb — January 9, 2007

I’d like to underline that *PassPack uses standard SSL* and it is totally separated from aSSL. The unique connection between the two projects is that I work on both.

@Jason. Careful, aSSL is not a substitute for SSL, it only “raises the bar” for non-critical sites. aSSL is not currently safe from MiTM attacks. I’m studing a certification mechanism based on a network of public testimonial to (hopefully, someday) overcome this limitation, but it is far from happening. Please read the aSSL Security FAQ: http://assl.sullof.com/assl/securityfaq.asp

Comment by Francesco Sullo — January 9, 2007

The site is very nice. I really like the user interface, and the security mechanism is interesting. I don’t think I’ll use it though – I don’t trust my *REAL* passwords anywhere but in my brain (bank, for instance) . For the passwords I don’t care that much about … well I don’t really care if I forget them I suppose. There’s always a ‘forgot pwd’ link – if there is no such link chances are the site sucks so bad I probably won’t have an account on it.
Just a personal opinion on online passwords – wish you the best, the site is great.

Comment by dude — January 9, 2007

You said: “The site is very nice. I really like the user interface”
And I say: “Thanks! Glad you like it.”
What can I do? I still get excited, to this day, when someone likes something I’ve built. :) Much appreciated.

Comment by Tara Kelly — January 9, 2007

Hi folks. I’m brand new to AJAX, and I’m not a developer… so why am I here? Well, I do IT Security consulting. It’s a huge field that you can’t possibly know everything about unless you’re Bruce Schneier (just kidding). While I haven’t done development myself in many years, I do a lot of architectural analysis in the name of security. I only recently heard the term AJAX. How far behind the curve does that make me? I’ve heard via CNET podcasts that AJAX has some serious cross-site scripting type vulnerabilities.

So, I have two comments. I’d be interested in finding some background articles on the essentials of AJAX that a security architect would need to know. I’d also like to hear some comments in reply to the vulnerability issues.

Thanks, and while i’m pretty new to posting on blogs, feel free to drop by my blog at http://www.securityviews.com and make some comments to get things rolling. (BTW – nice capcha technique for comment posting!)

Comment by Scott Wright — January 25, 2007

Yes, there has been quite a bit of buzz about XSS via Ajax. Essentially, it boils down to this: a poorly built website will be easily violated, a well built one will not – Ajax is irrelevant, what’s important is that it’s high quality. I took a look at your site, it seems you’ve already found Whitehat’s article “Myth Busting Ajax Insecurity”
This blog post, and subsequent comments, briefly describe PassPack’s security measures (in layman’s terms):

Comment by Tara — January 28, 2007

Leave a comment

You must be logged in to post a comment.