A review for the online password manager Intuitive Password.

Disclosure: I was requested to look at Intuitive Password, I generally don’t look at online password managers due to a lack of self-interest in them, but I’d figure I’d give it a go if a reader suggests it.

Intuitive Password is a software as a service platform for storing and managing your passwords, similar to KeePass or PasswordState, but out on the internet where you don’t have to manage it and it’s nearly always available.

Registering

Registration page

Registration page is really straight forward, just one minor complaint, the “security question” is an open-ended free form text field. This leads to people putting in things like “how many cubes away from John am I?” (I have actually run into this one before), which after a few guesses you’re into their account. Though honestly this is less Intuitive’s fault and more of how security questions can be broken. Just make sure you pick a really solid security question.

Gmail used to do the same thing, now they have more secure password reset options (phone call, recovery e-mail, or a Google-enabled device).

Logging In

On-screen keyboard, an attempt to fool keyloggers.

One thing I noticed during the log-in process was a Javascript driven keyboard for password entry, on one hand this will fool a lot of keyloggers, on the other hand I have seen keyloggers that tracked enough to pull your password off of this (some take screenshots, others mouse positions on clicks). I couldn’t really imagine myself using it really.

Password Management

All that you’d really want.

Password management is really straight forward and like every other password manager, give it a title, set the password. These fields are driven by what category your password resides in.

Password ratings give a quick visual cue on your password’s security.

Organization

Password category management is nice.

The slick UI really helps with this, and the default layout shows that Intuitive Password isn’t just for logins, but any other encrypted information you want to keep. You can create additional custom categories, each with their own custom fields, leaving it up to you how much or how little you want to keep in here.

This software by default has security questions for general logins, domain/machine name, IP address, etc. for network logins. So a bit of thought was put into having a nice starting configuration for your categories.

Sharing

You can share individual passwords with other people, it’s as simple as inserting an e-mail address. Not exactly useful for larger teams without a lot of tedious work, but it’s good if you want to share a handful of passwords with another person.

Account Management

Account management is straight forward: ability to reset your password, your security question, set up two-factor authentication, pretty standard stuff. Biggest thing I like here is the display of the currently running version of the software. I always like to know when my SaaS platforms get updated (and push for this to be an option on projects I work on).

An interesting feature I’ve observed was login restriction by country, pretty cool little feature.

Additionally they do support the concept of downloading all of your passwords in case you want to move to another platform which is always an awesome option (may be required by law in Australia, not sure), and have the ability to download/restore your own backups in case you’re paranoid about Intuitive Password’s team to be able to do that.

UI/UX

Intuitive Password has a pretty slick UI, I like the look and feel. The only complaint I have is that the textured background that permeates through all UI elements can sometimes make certain letters not the easiest to read (only had that happen once on a specific field), but generally the chosen font size and style makes everything really clear.

As for UX design, everything is pretty accessible and intuitive (heh), the only feature that wasn’t immediately apparent was sharing passwords (I was always mentally driven to the “shared” tab to try to figure things out, not to the bottom of your currently selected password). The integrated help is unobtrusive and very informative and is available throughout the software.

Quick Login

This is similar to your auto-type you have on similar software, this only applies to web based software (so no auto-logging into your games). It consists of a bookmarklet that pulls scripts from Intuitive Password’s servers and will attempt to log you in.

If you attempt to quick login on to a page that Intuitive Password doesn’t know how to log into, it’ll ask you to train it to understand what the login process is. So instead of just jabbing at currently selected fields like KeePass does, it is actually somewhat aware of the website layout (though this wont work for those multi-step banking sites that have a massive amount of security theater going on).

Offline Storage

Offline storage is pretty cool, right now they only support sending you an HTML document with everything embedded. Your passwords sit in a base64 encrypted blob to be decrypted with an AES key derived from your offline password. They’re also looking at add Dropbox, Box, and OneDrive support in the future.

Mismatching password lengths.

One thing I thought was a problem but figured out it was a major benefit was this password screen. Here I’m trying to type a 32 character long password (longer than the 20 character limit), here they only truncate the confirmation password field. This prevents silent truncation of passwords, which is a major thing I complain about in my up and coming post about password security theater causing massive user experience issues.

I like these little details that prevent me from accidentally doing dumb things.

Online Storage

Well if I was to investigate how passwords are stored offline, it only made sense to figure out how passwords are being transmitted online. Due to offline storage I had a lot of hopes for this, until I ran across this:

Password being sent embedded in the JSON response.

I’m kind of surprised that with all the care passwords are given on client-side storage that the server still handles decrypting/encrypting your password for you, meaning a breach at the cloud provider can put your passwords at risk.

This is why I generally like the option like CrashPlan provides — a second password so that the Software-As-A-Service provider CAN’T decrypt it even if they wanted to. There are methods that involve using a single password where this method could be viable (use a derived key from your password to sign something to verify your login instead of sending it to the server, send encrypted data to client to be decrypted with derived key… something of the sort).

Master Password

They do have the ability for you to add additional security to your passwords, via a “master password”, this is still sent to the server and decrypted server side, it really just adds a layer for if someone gets your account password on your desktop.

Overall

Intuitive Password is a pretty slick product, if you’re not paranoid and don’t mind storing your passwords online (and the provider having access) I’d definitely recommend it. I’ve been recommended to eyeball LastPass being as they apparently handle online password transmission differently, so keep an eye out for that review too.

I’m going to dive right into writing a basic licensing system using strong established cryptographical signing processes to prevent tampering or the creation of a key generator. I’m going to digitally sign the plain-text license using OpenPGP’s private key, this will generate a human readable license file, but modifying the payload will cause an exception to be thrown and tampering detected.

Solutions

I’m going to go over the basic options available. There are many others and there are a lot of hybrids of these various types, but for a quick introduction to licensing options, this should get you up to speed.

No Licensing

Of course the option for no licensing is always available. This provides no protection against a user copying your application and giving it to another user. Sometimes the overhead of writing and maintaining licensing code may not be worth the effort.

Plaintext Keys

Plaintext keys store user information, dates, times and keys in various locations, such as files on the hard disk, registry keys or resource files. These are fairly trivial to change and circumvention information can be passed around by word of mouth. You can attempt to store keys in hidden places like some other software, but these can and likely will be tracked down, and depending on if your method is ethically unsound, can land you unfavorable opinion with your would-be customers.

These are very easy, and can be a preferred choice if you’re not concerned with someone attempting to crack your licensing code, but may want some features granted by having licensing support in your software.

Symmetrical Cryptography / Hash Verification

Both of these methods fall under the same pros/cons for the most part. Symmetrical keys will encrypt the entire license file and should use some sort of secure algorithm (ex: AES256) with a secret key. Hash verification may store the data encrypted or unencrypted, but will hash the key information either with a secret method or a secret salt and store that with the license file, where you can validate that it hasn’t been tampered with, tampered keys fail validation.

Both of these suffer from the same issue: the code to decrypt/hash and verify your license files provide all the information needed to encrypt/hash new license files, allowing someone to create a license generator. In other languages these is a higher barrier of entry to be able to reverse engineer a native library, but in .NET your code can be fairly easily decompiled and methods like this reverse engineered (generally even when obfuscated).

Asymmetrical Cryptography

Asymmetrical cryptography, also known as Public-key cryptography is a method of encrypting data using the public key, and only being able to decrypt it with the private key (this can also be used for verification purposes by reversing the usage of the keys). In our example, we’ll use the example of digital signatures: where we use the private key for signing the license, and the public key to verify it hasn’t been tampered with.

Without the private key, a user cannot issue new licenses, a key generator will be impossible to make without one. The best bet resides in the malicious person to take one of two paths: to modify the software to remove the license requirement entirely, or modify the software to use a different public key, so they can use their own private key to generate licenses.

We’re on a better path now: a malicious user that has to patch our binaries to circumvent licensing will incur the overhead of having to patch every binary we release, while we can’t ever stop circumvention, we can make it annoying!

Online Verification

Online verification is one of the hardest methods, if not the hardest to circumvent. However a lot has to be assumed about your customers. You need to assume your users will be online at regular intervals, additional the use of software they’ve purchased will be entirely dependent on you keeping your licensing servers up and running.

Circumvention requires you to rewrite binaries to no longer check online, or spoof authentication servers.

PGP and You

I’m going to use OpenPGP, an open encryption standard that includes public-key cryptography. This library is used a lot for signing/encrypting e-mails and code among various programming groups, and I’ll continue to use this later for various examples such as signing code in a later blog.

Generating Your Key Pair

I recommend using GPG4Win, an easy to use application for creating and managing GPG and X509 certificates.

Select “File” > “New Certificate”

We want to create an OpenPGP key pair.

Enter the certificate information.

Your private key is the key to your kingdom, use a strong passphrase.

You want to save the private key (*.gpg) somewhere where your application can access it.

You’ll want to export the public key too.

Dealing with PGP On .NET

I’m going to use a very commonly used cryptography library for .NET BouncyCastle, mainly because it’s extremely powerful and licensed under MIT a very open license friendly to both open source projects and closed source.

An Example License File

We’re going to go ahead with the most basic setup: we’re not going to encrypt the payload so we can understand what is going on, for further obscurity you can encrypt the payload or even the entire license, but it wont add much additional security (just make it harder to understand what is going on till they decompile your .NET code).

Writing Your License File Management Code

First I’m going to outline some basics, we’re going to store a name and two dates, a software expiration date and a support expiration date. Additionally I’ll override ToString() for testing purposes, and write a method that returns the license data as a byte array that’ll go into our signed license file.

using System;
using System.IO;
using System.Linq;
using System.Text;

using Org.BouncyCastle.Bcpg.OpenPgp;
using Org.BouncyCastle.Bcpg;
using Org.BouncyCastle.Asn1.Ocsp;
using Org.BouncyCastle.Security;

public class License
{
    public string Name { get; set; }
    public DateTime SoftwareExpires { get; set; }
    public DateTime SupportExpires { get; set; }

    protected PgpPrivateKey PrivateKey { get; set; }
    public PgpPublicKey PublicKey { get; set; }

    public override string ToString()
    {
        return string.Format("Name: {1}{0}Software Expires: {2}{0}Support Expires: {3}",
            Environment.NewLine,
            this.Name,
            this.SoftwareExpires,
            this.SupportExpires
        );
    }

    private byte[] PrepareLicenseForStorage()
    {
        var licenseData = string.Format(
            "{0}\n{1}\n{2}",
            this.Name,
            this.SoftwareExpires.ToString(),
            this.SupportExpires.ToString()
        );

        return Encoding.UTF8.GetBytes(licenseData);
    }

Next we’re going to define how to read a public key out of a file.

public void ReadPublicKey(string path)
{
    using (var keyFileStream = File.OpenRead(path))
    using (var pgpDecoderStream = PgpUtilities.GetDecoderStream(keyFileStream))
    {
        var keyRingBundle = new PgpPublicKeyRingBundle(pgpDecoderStream);
        var keyRings = keyRingBundle.GetKeyRings();
        foreach (PgpPublicKeyRing keyRing in keyRings)
        {
            this.PublicKey = keyRing.GetPublicKey();
            break;
        }
    }
}

Then we’re going to define how to read a private key out of a file.

public void ReadPrivateKey(string path)
{
    using (var keyFileStream = File.OpenRead(path))
    using (var pgpDecoderStream = PgpUtilities.GetDecoderStream(keyFileStream))
    {
        // Get the key ring from the private key file.
        var keyRingBundle = new PgpSecretKeyRingBundle(pgpDecoderStream);
        var keyRings = keyRingBundle.GetKeyRings();

        // Get the first key from the key ring (it's an enumerable, so it's annoying).
        PgpSecretKey secretKey = null;
        foreach(PgpSecretKeyRing keyRing in keyRings)
        {
            secretKey = (PgpSecretKey)keyRing.GetSecretKey();
            break;
        }

        // Get the private key, we don't have a pass phrase on this (you should though!). 
        // Do NOT hard code this into the library, take it as a parameter from your key generation
        // software.
        this.PrivateKey = secretKey.ExtractPrivateKey("".ToCharArray());
    }
}

Next we’re going to define the code for creating a license file.

public void CreateLicenseFile(string fileName)
{
    var hashAlgorithm = HashAlgorithmTag.Sha1;
    using (var fileWriter = new FileStream(fileName, FileMode.Create))
    using (var outputStream = new ArmoredOutputStream(fileWriter))
    {
        // Continue our signature.
        var signatureGenerator = new PgpSignatureGenerator(this.PublicKey.Algorithm, hashAlgorithm);
        signatureGenerator.InitSign(PgpSignature.BinaryDocument, this.PrivateKey);
        foreach (string userId in this.PublicKey.GetUserIds())
        {
            var pgpSigatureSubpacketGenerator = new PgpSignatureSubpacketGenerator();
            pgpSigatureSubpacketGenerator.SetSignerUserId(false, userId);
            signatureGenerator.SetHashedSubpackets(pgpSigatureSubpacketGenerator.Generate());
            break;
        }

        var licenseDataBuffer = this.PrepareLicenseForStorage();

        // We're going to write out the cleartext portion.
        outputStream.BeginClearText(hashAlgorithm);
        outputStream.Write(licenseDataBuffer, 0, licenseDataBuffer.Length);

        // This updates our signature with the data in our license.
        signatureGenerator.Update(licenseDataBuffer, 0, licenseDataBuffer.Length);
        outputStream.EndClearText();

        // Add newline after text so we start the PGP signature header on the next line.
        byte[] newLineBytes = Encoding.UTF8.GetBytes(Environment.NewLine);
        fileWriter.Write(newLineBytes, 0, newLineBytes.Length);

        // Outputs the signature into the file.
        using (var bcpgStream = new BcpgOutputStream(outputStream))
        {
            signatureGenerator.Generate().Encode(bcpgStream);
        }
    }
}

Finally, we need to be able to create a license object from a signed license file.

public static License LoadLicenseFromFile(string fileName, PgpPublicKey publicKey)
{
    using (var inputStream = new FileStream(fileName, FileMode.Open))
    using (var armoredStream = new ArmoredInputStream(inputStream))
    using (var memoryStream = new MemoryStream())
    {
        // We're going to read the payload of the signed text in.
        while (armoredStream.IsClearText())
        {
            memoryStream.WriteByte((byte)armoredStream.ReadByte());
        }
        
        // Load the signature data from the armored file and initalize it with the public key.
        PgpObjectFactory pgpFact = new PgpObjectFactory(armoredStream);
        PgpSignatureList p3 = (PgpSignatureList)pgpFact.NextPgpObject();
        PgpSignature sig = p3[0];
        sig.InitVerify(publicKey);

        // We're going to seek to the beginning, and strip off the final "/r/n-" from the message.
        memoryStream.Seek(0, SeekOrigin.Begin);
        for (int i = 0; i < memoryStream.Length - 3; i++)
        {
            sig.Update((byte)memoryStream.ReadByte());
        }
        
        if (!sig.Verify())
        {
            throw new Exception("Verification Failed")
        }

        // Parse our stored license data.
        string[] licenseData = Encoding.UTF8.GetString(memoryStream.ToArray()).Split('\n');
        return new License
        {
            Name = licenseData[0],
            SoftwareExpires = DateTime.Parse(licenseData[1]),
            SupportExpires = DateTime.Parse(licenseData[2])
        };   
    }
}

From here we have the underlying infrastructure needed to write a license file that cannot be tampered with and that our application can verify is correct.

Changes To Production Code

First in production you’ll never want to ship your licensing software with your private key or with your secret phrase, that stays with you for generating new keys. Secondly we’ll want to read the private key from some internal resource so a malicious hacker can’t just replace your public key file without modifying binaries.

Tag Archives: Encryption

Intuitive Password Online Password Management Review