Skip to main content

Device Registration

Overview

Key Concepts: Registered Device

Device registration enables a trusted device to have several enhancements such as "Packing Key Bypass". This registration process generates some encryption material and registers it with Passpack under the logged-in account. The ultimate objective in registering a device is to create a known client to Passpack which you designate as having special characteristics.

info

The account must support the following:

  • You must be on the proper subscription level.
  • Your organization must allow device registrations.
info

The logical flow is attached here for reference. If you are familiar with encryption you may notice there are many steps and moving pieces - each of which serve a specific need within the security framework of the Passpack Team Password Manager.

Passpack uses a combination of symmetrical and asymmetrical encryption throughout the application which enable specific forms of information sharing and security. The RSA keys itemized in the following diagram enable compartmentalization of information in the broad deployment scenarios Passpack supports.

Even though Passpack sends all information through TLS connections we "double-encrypt" the details of the device registration.

Logical Flow Of Device Registration

Description of Process

After the user has completed all login steps, including entering their packing key the following steps are executed:

  • A Device Fingerprint is generated in the browser and contains identifying information such as a UUID, OS, and browser type. This information is never sent clear-text over the network.
  • A Device Fingerprint Hash is generated by SHA-512 hashing the Device Fingerprint. This hash is encrypted later and sent to Passpack servers and used during the authentication /authorization process.
  • Two symmetrical keys are generated using the cryptographically secure pseudorandom number generator within the browser. These keys are each 500 bytes long and are designated:
    • Device Fingerprint Encryption Key - Used to encrypt the device fingerprint information ensuring when shared between members of an organization the data is never readable on the network.
    • Device Fingerprint Encryption Key - Passpack - Used to encrypt the device fingerprint information and is used for customer support troubleshooting. The fingerprint details assist support personnel when asked to help a customer with features tied to device registration.
  • Three asymmetrical RSA keys are retrieved from the Passpack API. Only the public keys are available and are used to securely share information. The keys are:
    • Account Device RSA Key - This key is used to secure the Device Fingerprint Encryption Key so that the user may decrypt their own device information and manage authorized devices. If this key does not yet exist then it is created wihtin the browser and an encrypted version is securely stored in the Passpack API for secure distribution.
    • Organization Device RSA Key - When device registration is enabled by an administrator a keyset is generated. This keyset is used by administrators to decrypt the Device Fingerprint Encryption Key enabling them to see details (UUID, OS, browser) of one of their team members.
    • Passpack Device RSA Key - This key is used to securely share the Device Fingerprint Encryption Key - Passpack and the Fingerprint Hash with the Passpack API.
  • A new Device RSA Key is created within the browser with a configuration that prohibits exporting the key off device. It is only stored in the browser's IndexDB.
  • The Device Fingerprint is AES encrypted with Device Fingerprint Encryption Key. The encrypted result is securely stored in the Passpack API for secure distribution.
  • The Device Fingerprint is AES encrypted with Device Fingerprint Encryption Key - Passpack. The encrypted result is securely stored in the Passpack API for secure distribution and only available to authorized Passpack personnel.
  • The Device Fingerprint Encryption Key is encrypted to the Account Device RSA Key with the encrypted result being securely stored in the Passpack API for secure distribution only to the logged in user.
  • The Device Fingerprint Encryption Key is encrypted to the Organization Device RSA Key with the encrypted result being securely stored in the Passpack API for secure distribution only to administrators of the sponsoring organization.
  • The Device Fingerprint Encryption Key - Passpack is encrypted to the Passpack Device RSA Key with the encrypted result being securely stored in the Passpack API and only available to authorized Passpack personnel.
  • The Device Fingerprint Hash is encrypted to the Passpack Device RSA Key with the encrypted result being securely stored in the Passpack API. This encrypted hash is used as a form of device identification during the authentication / authorization process.