I'm not seeing the benefit either. If your credentials are stored under strong encryption, then it's the encryption that's providing a confidentiality and integrity assurance, wholly independent of blockchain or any other storage solution.
Easier to store a private key that gives access to a blockchain datastore than to store a decryption key + private storage file that would need to be replicated across all systems you want password access.
> HA system
That's a hosted solution, so it isn't completely trustless.
> closed-source softwares will not just read your passwords
I agree that this has nothing to do with a blockchain.
The fact that the data is encrypted means that it can literally be stored anywhere. You can throw it in a local file or in Dropbox/Google Drive/iCloud.
The trust issue also doesn’t matter cause if the encryption is right, then third parties wouldn’t be able to read your data even if they wanted to.
Centralized systems aren't vulnerable just because of uptime. They can also terminate your access at will, like if you forget to pay a bill, or if some government actor comes knocking on their door.
> b.lock uses your Nebulas private key (in other words, the master key) to encrypt your passwords and secret notes, using the AES-256 encryption algorithm.
Without digging any further, this is one of the scariest parts. Maybe they say AES because their marketing is aimed at ignorant people, for which a bare "AES" still sounds good. But if they are thinking AES, then I'm afraid how insecure their chosen mode of operation (and implementation thereof) might be.
Not too afraid though. The whole premise is bogus, there are less wasteful ways to manage passwords.
I would hope they are using some form of authenticated encryption, and talk about AES to keep it simple... but given the pointlessness of using a blockahain for this, maybe not.
Also, they explicitly say they are using the master key - they should really be using a DEK.
It's a common tactic in blockchain projects. They cite legitimate problems, but fail to make a case as to why existing solutions are inadequate and specifically how blockchain's properties are a good way to meet those needs.
So they're using AES in CTR mode for encryption. They encrypt both key (website + login) and value (password) using the same key (wallet private key) and counter (1). [1] Which means you can just bruteforce popular domain names, xor encryptedPass ^ encryptedKey ^ domainName, and get first bytes of the password (depending on domain name length), just by going through some recent TXs at [2].
[+] [-] GordonS|7 years ago|reply
What possible benefit could there be to storing my secrets in a public blockchain rather than private storage? I only see downsides.
The readme mention 2 'problems' with existing solutions:
"Single point of failure: if the server/database goes down, there goes your passwords"
This is not a reason to use a blockchain - it's a reason to use a highly available system.
"Trust issue: can you really trust that these closed-source softwares will not just read your passwords?"
This is not a reason to use a blockchain - it's a reason to use OSS.
[+] [-] the_snooze|7 years ago|reply
[+] [-] agorabinary|7 years ago|reply
Easier to store a private key that gives access to a blockchain datastore than to store a decryption key + private storage file that would need to be replicated across all systems you want password access.
> HA system
That's a hosted solution, so it isn't completely trustless.
> closed-source softwares will not just read your passwords
I agree that this has nothing to do with a blockchain.
[+] [-] craigc|7 years ago|reply
The trust issue also doesn’t matter cause if the encryption is right, then third parties wouldn’t be able to read your data even if they wanted to.
[+] [-] 21|7 years ago|reply
This is why you are poor. You wrap this in an ICO and easily make a million dollars.
[+] [-] beaner|7 years ago|reply
[+] [-] Tijdreiziger|7 years ago|reply
[+] [-] brighton36|7 years ago|reply
[+] [-] loup-vaillant|7 years ago|reply
Without digging any further, this is one of the scariest parts. Maybe they say AES because their marketing is aimed at ignorant people, for which a bare "AES" still sounds good. But if they are thinking AES, then I'm afraid how insecure their chosen mode of operation (and implementation thereof) might be.
Not too afraid though. The whole premise is bogus, there are less wasteful ways to manage passwords.
[+] [-] GordonS|7 years ago|reply
Also, they explicitly say they are using the master key - they should really be using a DEK.
[+] [-] tdurden|7 years ago|reply
[+] [-] the_snooze|7 years ago|reply
[+] [-] GordonS|7 years ago|reply
[+] [-] pomfpomfpomf3|7 years ago|reply
[1] https://github.com/BlockProject/b-lock/blob/8a19e0b404a8afee...
[2] https://explorer.nebulas.io/#/address/n1qmQeLTUU6fPJMs1uwTad...
[+] [-] loup-vaillant|7 years ago|reply
Well, hopefully this will get better under proper scrutiny.
[+] [-] GordonS|7 years ago|reply
This is a bad idea. They should really be using a DEK.
[+] [-] karlmcguire|7 years ago|reply
[+] [-] Someone1234|7 years ago|reply