Future development ideas: file encryption or data field encryption

[Jim Dunlop]

Hey guys,

Thanks for making this fantastic product! I found it via.
downloadsquad when I was searching for a password management system.
This is exactly what I was looking for. Special kudos for creating
the offline version!

I have a couple of ideas for the future of Clipperz. One feature that
would benefit me tremendously would be the option of sending/storing
encrpyted information in different file formats, especially JPG
images. Let me explain:

My bank, in order to increase security has set up a complex login
system that involves the following: 1. Entering bank account/branch
info, 2. Entering a password, 3. Using a security code card to input a
three letter/number code... All of this, is done using a "soft"
keyboard (clicking on the screen) to circumvent keyloggers. It's
pretty intense.

Anyway, the way the security code card works is like this. The bank
securely mails me a credit-card-sized decoder card that is unique to
me and me alone. It contains a grid that looks something like this:

A B C D E F G H I J
-------------------------------
0| X 4 I 0 9 S D 2 8 R 2
1| 3 K 9 S R 2 L 1 9 8 S
2| Y R T 7 6 4 J M 2 S
3| F 8 U W 2 L I 9 0 E
4| B V 5 D U 4 N J Z 3

Sorry, the alignment will be off when you view it, but you get the
idea. It is essentially a grid. Whenever I log in, the system asks
me for the 3 values that correspond to randomly chosen coordinates.
Eg. C3=__ H4=__ A0=__ This again entered using a soft keyboard to
avoid keylogging.

In order for me to log in, I have to carry this card on my person, in
my wallet. I do keep a photocopy of this card locked in a safe, but
it would be great if I could merely scan it, and send an encrpyted JPG
file, to be viewed online using Clipperz whenever I need to log into
my bank account. As it is right now, I can have all my data input
into Clipperz, but it is still insufficient to be able to log in
without the key card...

I know that this may be a fairly specific application, but what do you
guys think? Is this something that could get incorporated into a
future version of Clipperz?

Thanks for your time!

Jim D.

[Giulio Cesare Solaroli]

Hello Jim,

thank you very much for your kind praise.

I know a lot of bank are going insane security wise, adopting all this
crappy protection as a soft keyboard, when it is known that some
keylogger already take screenshot of the monitor close where the mouse
click happened. But let's not digress.

About your suggestion of uploading files to Clipperz, this was an idea
we already had, but we could not solve it technically; let me try to
explain why.

Clipperz strength is that we never have any plain data on our server;
we only receive and store encrypted data. But when you want to upload
a file, the Javascript code is not able to read it right from the file
system due to legitimate security restrictions enforced by the
browser.

This means that, in order to be able to process the data of the file,
we would need to have the plain data make a round-trip to one server.
And this is obviously a very bad option, even if we could implement
the system to just return the data without ever storing anything.

Showing up the data afterwords would be tricky, but probably possible.
But we need to find out a way to securely upload the data in the first
place.

At this point, even if it can be a real pain, you could try to
transcribe the table in a text format and put it in the note field in
the card. Not a great alternative, though.

Hope this helps.

Best regards,

Giulio Cesare

[Jim Dunlop]

Hi there again, Mr. Cesare.

Quick reply. Comprehensive too. Thank you. One quick follow-up
question then.... Since Clipperz already has a data field called:
"Notes," it should be capable of storing a certain amount of plain-
text data... In this case, wouldn't it be possible to take the data
that makes up a file (in this case a Jpeg) and submit only a plain-
text version of it, then allowing it to be re-constituted on the other
end? Isn't this exactly the same thing that happens when people
transmit files via. Usenet newsgroups?

I.e. Using uuencode to convert the binary into plaintext and then back
again... I imagine I could even do that now. The only problem is
Then it would just be a matter of making a webapp that can encode/
decode the plaintext that would get transmitted in an encrypted format
-- the same as the rest of all the card data.

Jim D.

UPDATE: I figured I may as well TRY it since I'm talking about it...
It failed but I think a solution is close at hand. Here's what I did:

1. I downloaded a random small image using Google Image search
2. Using my Mac command line I encoded it like this: uuencode
testpic.jpg testpic.jpg > testpic.uue
3. I opened the newly created .uue file, copied the plain text (ctrl
+c)
4. In Clipperz I created a new custom card
5. In the "Notes" section of the card I pasted the contents of
the .uue file
6. Saved
7. Went back into the card, selected all the text and pasted into a
plain text editor
8. Saved it and renamed the file to test2.uue
9. Used: uudecode test2.uue

During my various attempts, I got errors back saying either that there
was no begin line or no end line (which there were)... So this leads
me to suspect that EITHER the contents of the encoded file are just
TOO LONG for the "Notes" section of the card... When I open the card
after saving it, parts of the notes section appear in Bold or Italics
for some reason... OR, maybe my Mac is adding characters/lines/
carriage returns where it shouldn't be, thus making the file
unreadable for the decode.

If only we could create a webapp to AUTOMATE the uuencoode/uudecode
process and somehow ensure that the plain text contents don't get
changed around, I suspect that this is yet a feature that could be
implemented.

What do you think?

Jim D.

[Giulio Cesare Solaroli]

Hello Jim,

the note field should not have any hard limits.

Your idea is interesting, but it basically just shift the problem to
upload the image to Clipperz, to upload the image to the encoding web
app.

Technically, encoding the image using a local application should do
the trick. I think that it should be feasible to later recreate the
whole picture right inside the browser. But asking average Joes to get
a desktop application in order to encode the file content and later to
copy/paste it into Clipperz and setting the right content type is just
too much effort.

Regards,

Giulio Cesare

[Jim Dunlop]

Alright... Well, if the "Notes" section is indeed capable of handling
longer blocks of text, I'll test it out some more on my PC and Linux
boxes to see if I can get the jpg to encode and decode successfully.
Maybe it's just a glitch/anomaly with Mac that's preventing me from
doing it. But I still think that it should essentially be possible
using the "Notes" field.

You're right, however that would be unrealistic to expect non-
technical users to deal with a coding/decoding program...

Regards,

Jim D.




On Jul 22, 8:45 pm, "Giulio Cesare Solaroli" <giulio.ces...@gmail.com>
wrote:

> Hello Jim,
>
> the note field should not have any hard limits.
>
> Your idea is interesting, but it basically just shift the problem to
> upload the image to Clipperz, to upload the image to the encoding web
> app.
>
> Technically, encoding the image using a local application should do
> the trick. I think that it should be feasible to later recreate the
> whole picture right inside the browser. But asking average Joes to get
> a desktop application in order to encode the file content and later to
> copy/paste it into Clipperz and setting the right content type is just
> too much effort.
>
> Regards,
>
> Giulio Cesare
>