Tuesday, January 9th, 2007p>Francesco Sullo’s day job is to work on PassPack an online password manager.
PassPack is based on the Host-Proof Hosting Ajax Pattern.
How it works
PassPack uses a double access technique: User ID and Pass give a user access to her Account, while the Packing Key is needed to access the actual passwords. The “Pack” in PassPack comes from the bundle of locked up passwords inside the Account. PassPack checks the User ID and Pass at sign-in without exposing the passwords in the encrypted Pack.
Only the user can encrypt and decrypt the passwords in the browser with her Packing Key. The Packing Key never travels over the Internet. The encrypted Pack gets sent over SSL to the server for storage.
aSSL now works with the following process:
- The browser calls the server to start the process.
- The server returns its RSA modulus (e.g. the public key) and the public exponent (3 or 10001).
- The browser generates a random exchange 128-bit key, encrypts it using the server public key and passes the encrypted exchange key to the server.
- The server receives this encrypted 128-bit exchange key, decrypts it with its private key and, if the result is ok, returns the session duration time.
- The browser receives the session duration time and sets a timeout to maintain alive the connection.
All subsequent client-server exchanges via aSSL are encrypted and decrypted using the AES Rijndael algorithm.