totp-me icon indicating copy to clipboard operation
totp-me copied to clipboard

Published 20 hours ago verified publisher icon kwart

Hide token secret when after token creation

Open spacekpe opened this issue 10 years ago • 6 comments

I know it is security through obscurity, but still ... It is really easy to quickly read/take a photo of a token secret when the phone is forgotten somewhere on a table. You need just few tens of seconds for taking photo.

Digging data from Java store somewhere in guts of the phone should take more time. Hopefully it is not feasible in few minutes before I remember where the phone is laying :-)

Would you accept patch with this "functionality"?

spacekpe avatar Apr 18 '14 19:04 spacekpe

I don't have objections to have the key value hidden by default. But there has to be an option to display and edit it, because I may want:

  • change the key value to another one generated from an external source
  • display key to enter it's value to an external system (OTP server, second TOTP generator, ...)

And with these scenarios given, it doesn't have much sense to hide the value in the standard options dialog.

kwart avatar Apr 22 '14 20:04 kwart

Maybe I didn't explained my intent well. I will try to describe intended workflow:

  1. Run TOTP-ME

  2. -> Profiles (menu)

  3. -> Add

  4. At this point, secret key is visible and editable. You can copy a value from built-in Key generator to an external system or enter a value generated by external system to TOTP-ME.

  5. -> Menu -> OK Token is saved now.

  6. -> Profiles

  7. Select an existing profile

  8. -> Options

  9. Secret key input box is shown as empty. The secret is still there but it is not accessible after token creation.

This protects the key when the phone is forgotten somewhere for a while. I would call it security feature.

Secret key is shared secret. From definition of shared secret, it should not be used more than once. The only secure way how to establish trust with another party is to create another token.

Does it clarify what I have meant?

spacekpe avatar Apr 22 '14 20:04 spacekpe

I understand your comments. But I like the possibility to display the shared key again. Maybe I'm too lazy to generate and register new keys in all systems I use (when I change the mobile device).

I see some possible ways how to handle this:

  • key protection could be an option of a profile - once checked and saved, the key can't be displayed again (and the option can't be unchecked)
  • we could release 2 versions - a standard one with the current behavior and a more secure one with

kwart avatar Apr 23 '14 06:04 kwart

I think that un-settable option "hide my key" is good enough... Can we make it enabled by default to make totp-me secure-by-default?

I looked at the code in loadProfiles() and honestly, I have no idea how it is supposed to work and how should I add a boolean to it (and stay backward compatible at the same time).

Can you give me some hints, please?

spacekpe avatar Apr 23 '14 07:04 spacekpe

I'm fine with the secure-by-default profiles. (my laziness is not so hard)

The important methods which should be extended are:

  • loadSelectedProfile() where one additional line for loading a boolean value will be added after the tfDelta.setString(String.valueOf(dis.readInt()));
  • getProfileConfig(...) which is called from save() method. It will get a new boolean parameter and it will store its value in a new line next to dos.writeInt(delta);

kwart avatar Apr 23 '14 18:04 kwart

One more thing came to my mind. The old profiles (created by previous versions) should have the flag set to "unsecure".

kwart avatar Apr 24 '14 06:04 kwart