Pretty Good ID - Password replacement

[SYSTEM]

It works for me as well (I used X-Chromium too). Great work!

IMO, the most important addition the extension needs is ability to store the PGID in Local Storage (optionally with symmetric encryption) and load it automatically when the browser starts or when the user tries to login/register into a PGID-enabled website for the first time.

In fact, I'm interested in working on PGID myself. There may be an improved version of the extension later...

[Andrew Lee]

Thanks for checking this out! You guys are so cool.

I will check out X-Chromium myself.

This current implementation is more a proof-of-concept to solicit feedback, so many things (eg. robust error checking) are purposely missing. I think a basic implementation also has the advantage of being easy to read and understand without being bogged down by aesthetics or production level error checks.

However, once the concept checks out, I will be more than happy to be involved in the development of a production level PGID extension that stores the PGIDs in local storage, protected with symmetric encryption! I also plan to develop production mods and plugins for phpBB and Wordpress for a start. I even have the motto stuck in my mind: "Pretty Good ID: Eliminating passwords, one website at a time."

Like I mentioned on the home page, I am not even sure storing the private key at the browser or app level is the best way to go. If this gets wide-spread use, you might not want to store your PGID with each of the browsers that you use, your feedreader, your email reader etc.

There are many possible implementations that I can think of. Conceivably, the best approach is to have one vault-like software on each device that has access to the private key. Other software will simply communicate with the vault via IPC to invoke the various functions, without ever having access to the content of the private key. The PGID can be further protected using symmetric encryption (using a password, PIN, pattern etc.) so that it needs to be unlocked before use. This means even if the device is stolen, the thief will not have access to the private key. I have an unfinished prototype running under Windows, where the Chrome extension talks to the vault via native messaging, so the idea is certainly feasible.

But since it is so simple to implement, maybe there are different approaches to suit different people. That's the beauty of it. A production level extension that stores the PGIDs in local storage symmetrically encrypted is definitely one way to go. Maybe an extension that stores nothing but allow you to load the private key from file or scanned with webcam. Or as mentioned, one vault-like software that provides a service to all other software on the machine without ever revealing the private keys. Or the ultimate: the operating system (Windows, Android etc.) providing this service!

[tproli]

I'm afraid I still can't get how it works. I mean the general functionality and not the 'behind-the-scene' magic.
Could someone enlighten this (as if I were a 6 year old child)?

[guinness]

Just thought I would chime in and say it works (of course the extension issue has already been mentioned.)

[Andrew Lee]

@tproli: Have you installed the Chrome extension and tried it out? The demo site tries to provide the relevant technical info as you try out each function.

If you are unfamiliar with public key crypto, this wiki might get you started:

http://en.wikipedia.org/wiki/Public-key_cryptography

OK, short-term goals for this project:

1. Get the idea validated. So if you have any friends who are black hat, white hat, security experts etc., please get them to take a look and punch holes into the whole idea before I sink any more time and effort into this thing!

2. Create a production-level PGID extension for Chrome/Chromium and submit to Chrome App Store.

3. Create a phpBB mod and dog-food it on TPFC.

Exciting times!

[Andrew Lee]

@tproli: General functionality is, you create a PGID and use that to register with supporting websites, instead of passwords.

Then, to login to a website, it is essentially a one-click operation using the Chrome extension.

The selling point is, you can use the same PGID for all the websites you register with. One PGID to rule them all! If one website gets hacked, nothing is compromised, nothing needs to be changed.

Questions?

[Andrew Lee]

Another usage scenario:

Imagine someone at an Internet cafe. The browser has a non-storage, webcam-enabled PGID extension installed. He starts the browser, takes out a card with the QR-code of his PGID and scans it into the browser. Now he is free to login into all his websites. At the end of the session, he simply shuts down the browser and is clean to go.

Of course you can worry about a rogue extension, but it's on the same level of threat as a keylogger. A more secure way is of course to bring portable browser on a USB memory stick. But I am describing a typical usage scenario involving someone who's not as security conscious and how PGID can be used in this case.

[joby_toss]

If I understand correctly, I can have a PGID for all websites, but I can also have a different one for every website, right?

[Andrew Lee]

@joby_toss: Yes. As few or as many as you wish. The extreme case is indeed one PGID for every website.

[tproli]

Much clearer, thanks.

However, if one gets hold of my public key then she can login with my account(s)?
And what happens if someone sits to my computer, or steals my USB stick?

[joby_toss]

Same thing that happens when your password is stolen (from your PC, usb device etc.), but at least you have some control over this fact. PGID solves the "server hacked" part, the one you have no control over.

@Andrew: would it be possible (as an option) that the browser extension asks for a master password before the QR-Code is loaded?

[guinness]

Much clearer, thanks.

However, if one gets hold of my public key then she can login with my account(s)?
And what happens if someone sits to my computer, or steals my USB stick?

You meant private key.

[tproli]

Course I meant

[Andrew Lee]

@Andrew: would it be possible (as an option) that the browser extension asks for a master password before the QR-Code is loaded?

Sure! That won't be difficult to do. Just add symmetric encryption like AES to local storage. I am leaving out of the proof-of-concept code because I feel that should be implementation-dependent. Let's add that + local storage to the basic production extension.

[Andrew Lee]

However, if one gets hold of my private key then she can login with my account(s)?

Well, as I mentioned before, in production code, the local storage (storing all the private keys) should be symmetrically encrypted and require a master password to decrypt.