As a society, we maintain a proud tradition of poor operational security. Even worse, a conservative estimate predicts that the average American has had their private information breached at least 3 times. In an effort to bring security and privacy to the common person, we created Meema, the painless, portable password protector.
(A note on the name: "Meema" comes from the Chinese phrase for password, which is 密码, or roughly "meema".)
What it does
Meema is designed to be a convenient and secure method for storing and filling passwords. It acts as a hardware password manager that can be used plug-and-play-style for accessing stored passwords and easily supplying them into password fields.
How we built it
Implementation: In order to maintain security, all passwords are stored in two separate entities, through two separate stores. One piece will be stored in an online database, and the other will be stored offline in a hardware database. The online database will be accessed via a REST API, and the hardware database will be accessed using the Intel Edison through an ACM Serial (USB) connection.
Webserver: The webserver require authentication using a unique hardware identifier, a username, and a password. Password fragments on the server are not encrypted and can be accessed through the REST API after proper authentication.
Meema Key: The Meema Key serves two main functions: a USB Mass Storage device and an ACM serial communications bridge. The mass storage device stores password fragments and decrypts them when properly authenticated. The serial connection is used for accessing data from the Meema Key as well as issuing commands to it.
Encryption Process: Once all data has been collected, Meema breaks the password into two separate fragments and stores one on the Meema Key and the other on the web server. When inspected individually, both fragments are indistinguishable from cryptographic noise; only with both fragments is it possible to recreate the password.
Decryption Process: The decrypting application (either the native OSX app or the Chrome Extension) retrieves the stored password fragment from the Meema Key after proper authentication. The application then queries the webserver for its password fragment, in addition to any other non-sensitive data and metadata the server holds (such as username, email, or any other saved fields). The application then combines these two fragments to recreate the original password.
User Facing Code
Chrome Extension: The user can interact with Meema through a Chrome extension that will prompt login to the Meema Key with a username and password combination specific to the key. Once authenticated, the Meema Chrome Extension will scrape websites visited for login inputs and allow users to store their passwords as well as other input information.
OSX Application: The user can also interact with Meema through a native OSX app to store login information to native applications.
What's next for Meema
Biometric Identification: Instead of assigning a password to their account, the user can use a biometric sensor (for example, a fingerprint scan) to encrypt their Meema Key.
Mobile Authentication: Instead of assigning a password to their account, the user can instead connect a mobile device to their account. Authentication consists of sending the user's device a push notification (via the Chrome Notification API), which when activated unlocks the Meema Key.