[dev] securiy guidance

From: <petern_AT_riseup.net>
Date: Mon, 05 Mar 2018 02:06:32 -0800


this mail won't be related to any suckless projects, I am looking for
some guidance/tips. If this isn't a good place for such requests I can
take a hint.

Since I stumbled upon suckless.org (2-3 weeks) I switched to dwm and st,
read the philosophy and many other pages, browsed through some source
code, looked up plan 9 in a bit more detail than before, read about 9P,
the list could go on for a while, you get the idea. I'm not a C
programmer but decided it's time to try and write something useful.
Thinking about a good project brought me to password stores. I never
liked (or trusted) these big fluffy UI-driven password solutions (god
forbid if they offer cloud syncing and such), so I always sticked with
pass whenever possible. The only thing I dislike about it is
piggybacking on gpg, which is big and scary for people who don't use it
on a daily basis and from my own experience hard to understand and set

Contemplating on what a pass-like password manager needs to do, making
it as simple as possible, there's possibly 3 commands needed
- init - one-time initialization of the password store, key generation,
- set - encrypt a password
- get - decrypt a password

The second piece would be a daemon (agent) that caches the master
password like gpg-agent or ssh-agent does. I don't want to focus on this
piece until the first one is polished.

Trying my hands on putting this together got me this far:

If you bore with me this far (pardon for the longer introduction) I can
finally ask for some guidance: encryption isn't a topic to be taken
lightly and I wouldn't like to rely on tips from random people on the
internet. Storing passwords requires 1 encryption/decryption algorithm.
Which one to choose? I would like to rely on libc only and am naively
thinking an encryption/decryption algorithm could be easily copied into
the current source code.

If anyone finds it fun to look through some newcomer-level source code
to give pointers on what should be changed or pinpoint bugs/issues with
the code I'd be thrilled.

Thanks in advance and reminding once again - if this is inappropriate
for this mailing list just say the word. I'm just looking for guidance
from people who value simplicity and have experience.

  Peter Nagy
Received on Mon Mar 05 2018 - 11:06:32 CET

This archive was generated by hypermail 2.3.0 : Mon Mar 05 2018 - 11:12:23 CET