Dec 02 2020 11:15 PM
Dec 02 2020 11:15 PM
Is there a password manager API that allows me to drop in my own password storage system?
Current state of the art in password managers available today is to make use of some form of encryption. Unfortunately encrypting one password under another is weak no matter how you try and public key has been considered impractical because of the key distribution problem.
The solution that I have been working on for the past five years is to apply threshold cryptography, a form of public key cryptography in which private keys are split allowing creation of additional roles. This approach has recently gained wider attention in IETF/IRTF and at NIST.
To make use of public key cryptography we use a PKI. To make use of Threshold Cryptography, we need a Threshold Key Infrastructure which is what I have built - the Mathematical Mesh. The Mesh makes it really easy to provision and manage private keys, so easy that most users will never be aware that they are even doing it. All the user needs to do is perform a simple one time connection operation and all their devices are joined together to form their personal mesh. Data can then flow between the devices with true end to end security. A Mesh service cannot suffer a confidentiality breach unless AES256 or X448 are broken because Mesh services do not have any form of access to the plaintext.
One obvious application for the Mesh is to provide a true end-to-end secure password manager. Once Alice has connected her phone, desktop and tablet and uses a Mesh capable Web browser on each, she can start to use secure machine generated, 128 bit work factor passwords because she will never have to remember them or type them in.
If a device is lost, it can be disabled without affecting any other device.
Unlike other password managers, the Mesh also supports PKI based alternatives. Every device that can access the password vault can also perform public key authentication. The Mesh also provides a second factor authentication system.
The code is all open source (C#), MIT license. Anyone can set up a Mesh service and Mesh users can change their service provider at any time with zero switching cost. The specs are all submitted as Internet Drafts. As a member of the original CERN team that designed the Web, I am replaying the same deployment strategy. The short term objective being to produce a proof of concept demo, preferably as a browser extension but failing that produce a new browser distro being a minimal extension of something else.
This is a platform play, the goal being to get the technology into every browser as part of the core.