[dev] securiy guidance

From: <petern_AT_riseup.net>
Date: Mon, 05 Mar 2018 02:06:32 -0800

Hello,

this mail won't be related to any suckless projects, I am looking for
some guidance/tips. If this isn't a good place for such requests I can
take a hint.

Since I stumbled upon suckless.org (2-3 weeks) I switched to dwm and st,
read the philosophy and many other pages, browsed through some source
code, looked up plan 9 in a bit more detail than before, read about 9P,
the list could go on for a while, you get the idea. I'm not a C
programmer but decided it's time to try and write something useful.
Thinking about a good project brought me to password stores. I never
liked (or trusted) these big fluffy UI-driven password solutions (god
forbid if they offer cloud syncing and such), so I always sticked with
pass whenever possible. The only thing I dislike about it is
piggybacking on gpg, which is big and scary for people who don't use it
on a daily basis and from my own experience hard to understand and set
up.

Contemplating on what a pass-like password manager needs to do, making
it as simple as possible, there's possibly 3 commands needed
- init - one-time initialization of the password store, key generation,
...
- set - encrypt a password
- get - decrypt a password

The second piece would be a daemon (agent) that caches the master
password like gpg-agent or ssh-agent does. I don't want to focus on this
piece until the first one is polished.

Trying my hands on putting this together got me this far:
https://gitlab.com/xificurC/heslo

If you bore with me this far (pardon for the longer introduction) I can
finally ask for some guidance: encryption isn't a topic to be taken
lightly and I wouldn't like to rely on tips from random people on the
internet. Storing passwords requires 1 encryption/decryption algorithm.
Which one to choose? I would like to rely on libc only and am naively
thinking an encryption/decryption algorithm could be easily copied into
the current source code.

If anyone finds it fun to look through some newcomer-level source code
to give pointers on what should be changed or pinpoint bugs/issues with
the code I'd be thrilled.

Thanks in advance and reminding once again - if this is inappropriate
for this mailing list just say the word. I'm just looking for guidance
from people who value simplicity and have experience.

-- 
------------
  Peter Nagy
------------
Received on Mon Mar 05 2018 - 11:06:32 CET

This archive was generated by hypermail 2.3.0 : Mon Mar 05 2018 - 11:12:23 CET