Computer security is always a big issue. Man in the middle attacks are difficult to stop. You're never really sure who to trust. You want to have encrypted communication using PGP but in order to do so you need to exchange public keys. But there is always a chance someone is snooping, HTTPS is unsafe, public PGP key servers are unsafe. The safest way to exchange public keys is to do it in person. However, writing down the entire public key or typing in the public key is a pain. It takes long, is error prone, and not very feasible if you want to give it to a lot of people. So, we've created a way to make that process faster, easier, and still safe.

Below is an image of a key signing party where participants are exchanging public keys with each other in person.
alt text

What it does

Using our PC application, the user can generate a QR code for their PGP public key. This QR code can then be scanned by our mobile application and the public key will then be stored in our mobile application. Then to exchange public keys you can either hand over the QR code to the other person so that they can scan it into their phone or you can directly send it to the person via NFC. Once you've gotten the public keys you need from others you can then transfer them back to your computer via our forwarding server. The mobile app will then encrypt and sign the public keys using your public key and private key on your phone. Then it will be sent to our server which then you can use to synchronize the public keys onto your computer. (Currently, synchronization is implemented but the encrypted transfer is in development). So, as you can see by using the QR code and NFC a man in the middle attack is not possible. It also makes direct exchanges much less painful and easy since all you need to do is scan a QR code or tap your phone with the other person's phone. It's fast, easy, and safe.

Extra Features

We also added an extra feature called Password Booster which basically gauges the strength of the password you input then outputs a stronger password. Many users have a hard time thinking up of strong passwords and they don't want just completely random passwords, so this feature will give them passwords that are variations of what they input.

Password Booster first evaluates the strength of your current password. In assigning it a score it uses basic criteria such as length and the presence of uppercase letters, lowercase letters, numbers, and special symbols like @. At the same time, it takes a deeper look and deducts points for certain negative characteristics. Passwords that consist of only letters or only numbers are penalized the most, but there are also penalties for numerous repeated instances of the same symbol, long strings of symbols of the same type, and long strings of sequential symbols (e.g. 123).

The user sets a score threshold, and if the original password doesn't meet this requirement, Password Booster will try to augment it until it does. It's primary tools for doing so are adding strings of words, numbers, and symbols to the password. In addition, because dictionary words are among the easiest passwords to crack, all letters in the password are considered to either randomly have its case change (e.g. lower to upper) or to have it be changed to its l33t speak equivalent, if applicable (e.g. E to 3). Added strings can be inserted anywhere in the password, potentially breaking up existing clear dictionary words.

How we built it

We developed an Android application using Android Studio and Java; we used ZXing's barcode scanner for scanning QR codes. We store the PGP keys internally on the phone whenever we scan a QR code or receive via NFC. The user can access all keys that were saved, choose which one to send to another user, and even delete keys they don't want anymore. The only time the application connects to the internet is when the public keys are synchronized with the user's computer. We use HTTPS to connect to the server and the public keys that are sent to the server are stored in a private storage for each user. Currently we are still in development of encrypting the public keys and signing them before they are sent, which would make the system secure even if the server was malicious. The server and Windows/Linux client are written in Python; the UI for the client is written HTML, CSS, Javascript, and Bootstrap. We also supplemented our client code with bash scripts. The client also has the Password Booster identical to the one found on the Android application. The Password Booster is written in HTML, CSS, Javascript, and Bootstrap and is displayed as a native WebView on the Android application. So, even then the application does not connect to the internet. The Bootstrap library is also locally existent on the application so that it doesn't have to be acquired from the web.

Development Environment and Tools

We used Windows 10 as our main development environment to run Android Studio and virtual machines to run Linux. We also used Office Live for collaborative documents and OneDrive for sharing. We used Visual Studios as our main IDE for Javascript, HTML/CSS, and Python.

Challenges we ran into

Initially, we generated binary PGP QR codes and when it was read into the mobile application it was encoded in UTF-8 which effectively scrambled the data. We had trouble converting it back to its original state and so we spent hours trying to figure this out. In the end we changed the way we generated the QR codes and so instead we did ASCII PGP QR codes which solved the problem immediately.

Accomplishments that we're proud of

We used 4 different programming languages (Java, Javascript, Python, and Bash) making programs that work across 3 different operating systems (Android, Windows, and GNU/Linux)

What we learned

We learned how to use NFC in our application for the first time.

What's next for Paranoia Keyring

Password Booster makes heavy use of randomness in deciding what to insert/modify and where to do it. While random passwords are the most secure, they are also the most difficult to remember. Future improvements would involve the program keeping in mind exactly what caused an original password to fail to meet the threshold, so that it can specifically target these issues.

Share this project: