See how ReAn Pro Works
Every ReAn Pro password generation operation requires 3 keys. The 3 keys are
- Secret Key
- Circle Of Trust Key
- Website Key
The Secret Key is generated on end users system using a randomly generated salt. ReAn Pro utilizes SCrypt as a password based key derivation function. SCrypt offers many benefits as a password based key derivation function. The primary and most important benefit for ReAn is that SCrypt is nearly impossible to bruteforce using today’s computational resources. The high computational costs protect against dictionary attacks that make many sites and systems vulnerable. For the many benefits of SCrypt refer here
Circle of Trust Key
The Circle of Trust key is not directly accessible to the end user. Each user verified device is set up with a session token. The session token acts as a reference to the Circle of Trust Key. The session tokens get rotated and refreshed and the reference is appropriately updated. The Circle of Trust key is kept encrypted in ReAn’s database using a key management system (KMS).
ReAn uses a cryptographically secure random number generator (CSPRNG) to generate Website Key. When an attempt is made to generate a password, the “Referer” header indicates the name and full URI of the website. The “Referer” header is reliable because the browsers prohibit its tampering. When ReAn backend receives a valid session token, it retrieves the Website key from it encrypted database.
The final derivation in ReAn Pro works by combining the 3 keys using another cryptographic operation. The result of that operation is a seed. The seed is fed in the password policy of the website. Based on the password policy and the seed, ReAn generates a unique, complex, website tailored password.