Computer security is always a big issue. Man in the middle attacks are difficult to stop. You're never really sure who to trust. You want to have encrypted communication using PGP but in order to do so you need to exchange public keys. But there is always a chance someone is snooping, HTTPS is unsafe, public PGP key servers are unsafe. The safest way to exchange public keys is to do it in person. However, writing down the entire public key or typing in the public key is a pain. It takes long, is error prone, and not very feasible if you want to give it to a lot of people. So, we've created a way to make that process faster, easier, and still safe.
Below is an image of a key signing party where participants are exchanging public keys with each other in person.
What it does
Using our PC application, the user can generate a QR code for their PGP public key. This QR code can then be scanned by our mobile application and the public key will then be stored in our mobile application. Then to exchange public keys you can either hand over the QR code to the other person so that they can scan it into their phone or you can directly send it to the person via NFC. Once you've gotten the public keys you need from others you can then transfer them back to your computer via our forwarding server. The mobile app will then encrypt and sign the public keys using your public key and private key on your phone. Then it will be sent to our server which then you can use to synchronize the public keys onto your computer. (Currently, synchronization is implemented but the encrypted transfer is in development). So, as you can see by using the QR code and NFC a man in the middle attack is not possible. It also makes direct exchanges much less painful and easy since all you need to do is scan a QR code or tap your phone with the other person's phone. It's fast, easy, and safe.
We also added an extra feature called Password Booster which basically gauges the strength of the password you input then outputs a stronger password. Many users have a hard time thinking up of strong passwords and they don't want just completely random passwords, so this feature will give them passwords that are variations of what they input.
Password Booster first evaluates the strength of your current password. In assigning it a score it uses basic criteria such as length and the presence of uppercase letters, lowercase letters, numbers, and special symbols like @. At the same time, it takes a deeper look and deducts points for certain negative characteristics. Passwords that consist of only letters or only numbers are penalized the most, but there are also penalties for numerous repeated instances of the same symbol, long strings of symbols of the same type, and long strings of sequential symbols (e.g. 123).
The user sets a score threshold, and if the original password doesn't meet this requirement, Password Booster will try to augment it until it does. It's primary tools for doing so are adding strings of words, numbers, and symbols to the password. In addition, because dictionary words are among the easiest passwords to crack, all letters in the password are considered to either randomly have its case change (e.g. lower to upper) or to have it be changed to its l33t speak equivalent, if applicable (e.g. E to 3). Added strings can be inserted anywhere in the password, potentially breaking up existing clear dictionary words.
How we built it
Development Environment and Tools
Challenges we ran into
Initially, we generated binary PGP QR codes and when it was read into the mobile application it was encoded in UTF-8 which effectively scrambled the data. We had trouble converting it back to its original state and so we spent hours trying to figure this out. In the end we changed the way we generated the QR codes and so instead we did ASCII PGP QR codes which solved the problem immediately.
Accomplishments that we're proud of
What we learned
We learned how to use NFC in our application for the first time.
What's next for Paranoia Keyring
Password Booster makes heavy use of randomness in deciding what to insert/modify and where to do it. While random passwords are the most secure, they are also the most difficult to remember. Future improvements would involve the program keeping in mind exactly what caused an original password to fail to meet the threshold, so that it can specifically target these issues.