DragPass: Drag Your Password

About

DragPass: The Zero-Trust Text Encryption Solution
DragPass is a Chrome extension that secures any text with one-click encryption/decryption by simply dragging and using the context menu. If you work in Chrome, you can securely protect your data in any notepad or web application with DragPass.

Features: The Core of Security
- Zero-Trust Authentication: Implements a Hardware/Software Key Pair system where your private key never leaves your Helper process. Authentication and key updates are handled via non-storage-based signatures, ensuring the server never holds the master password or private key.
- Double Salt System: Generates two random salts for each encryption, ensuring that identical passwords and text produce completely different ciphertexts every time, fundamentally blocking pattern analysis attacks.
- PBKDF2 Key Derivation: Transforms simple passwords into powerful encryption keys through 100,000 iterations, making brute-force attacks virtually impossible. Even if a hacker attempts 100 million passwords per second, verifying a single password would take years.
- AES-256-GCM Encryption: The encryption algorithm used by the NSA to protect top-secret documents. It simultaneously encrypts data and verifies integrity, instantly detecting tampering when even a single bit of the ciphertext is altered, causing decryption to fail immediately.
- KEK/DEK Dual Structure: A new random salt is added to the master password to generate a KEK (Key Encryption Key), which encrypts the DEK (Data Encryption Key) for secure storage, and this DEK encrypts the actual data. Since the DEK is encrypted with the KEK and only the encrypted DEK is stored on the server, the server cannot know the master password.
- Unique IV Usage: A secure random number generator creates a new IV for each encryption, ensuring that encrypting the same text produces completely different results every time.
- Encoding: Encoded into DragPass's signature braille-based blocks.

Advanced Usage: Device Registration and Key Management
DragPass uses an advanced three-tier system (Client → Chrome Extension → DragPass Keeper) to handle all cryptographic operations, providing a level of security unmatched by simple browser extensions.
- Secure Device Registration: During initial setup, the Helper process generates a unique asymmetric key pair. The server then encrypts a Session Code using your Helper's public key, proving the key is valid before securely storing the encrypted Session Code.
- Challenge-Response Login: Subsequent logins use a timestamped signature and a Challenge Token issued by the server. Your Helper signs the Challenge Token with its private key, proving possession without ever sending the private key.
- Secure Device Migration: Easily log in on a new device using your Session Code. The server ensures your key pair is securely updated using a challenge-response mechanism, guaranteeing key integrity across all your devices.

Zero-Knowledge Architecture: Your Data, Only Yours
- Master password exists only in memory and is never stored.
- All encryption executes exclusively in the user's browser/Helper process.
- All encryption/decryption proceeds offline once keys are established.

⚠️ Non-Recoverable Data Policy: Since the system guarantees the Master Password and cryptographic keys are never stored on the server, and user anonymity is preserved, there is no mechanism to recover your encrypted data if you lose your Master Password or Session Code. No one, including DragPass, can know or recover your master password or your private encryption key.

Since the master password is not stored on the server, encrypted text cannot be recovered if lost. No one, including DragPass, can know or recover your master password or your private encryption key.