Authors: Aziz Sonawalla, Yi Fu Chen, Matthew Hinz
What is the problem?
We will be building a digital vault for storing passwords and other key-value pairs in Prolog to test the cryptographic tools within the language. The user will be able to create their own master password and add username/password pairs for different website domains. The vault will also be searchable by domain name.
What is the something extra?
- 🔐 AES-256 (military grade) encryption for vault data
- #️⃣ SHA-256 irreversable password hashing
- 🧂 Randomized nonce salted encryption, with 1000 iterations
- 💿 Persistent storage of the user's data on their disks
- 👀 Robust and visually-engaging command line interface
- ✅ Unit tests with high coverage
What did we learn from doing this?
We were able to build a complete secure vault using Prolog that leverages military grade encryption, but we did not have the chance to attempt our stretch goals of allowing access to the vault via HTTP connections.
Through our work, we came to the following conclusions...
Prolog is extremely well suited for building small-medium scale tools such as a password manager: the fact that our project is a relatively small tool (less than 10k lines of code), it was easy enough to build and unit test each of the components and tie them all together without the need for an Object-Oriented structure. We weren't focusing on performance either, so we didn't need to perform concurrent and asynchronous tasks. The Prolog syntax, along with the built-in libraries that provide lots of functionality, allowed us to write concise code that was easy to understand. While a query in SQL might consist of multiple nested statements (e.g., SELECT, JOIN, WHERE, EXISTS, etc.), the Prolog language is much better because these complicated query actions can be represented by the relations between variables.
Encryption in Prolog is easy: We were able to easily perform password hashes (using SHA-256) with the built-in cryptography library. On the other hand, the built-in library for AES-encryption proved to be extremely unreliable and the errors it produced were not helpful. However, we were able to easily build a bridge API between Prolog and the standard OpenSSL library that comes with Windows, Linux and MacOs and leveraged the operating system's built-in cryptographic capabilities to encrypt the vault. This made all cryptographic tasks extremely easy.
Prolog lacks in-depth documentation, a community, and dev tools: The biggest challenge in the entire project for us was the lack of documentation for SWI-Prolog, as well as a lack of an active developer community where questions can be asked. The SWI-Prolog documentation rarely has examples, the errors from the built-in functions are not verbose, and other than the command-line tracer and debugger there are no production-level dev tools. This proved to be the biggest bottle-neck for us.
Testing in Prolog is different from other languages: Most IDEs do not have extensions for debugging and unit testing in Prolog. Although Prolog's "trace" function can be used, we resorted to simply writing "print" commands to display the variable values. This proved to be effective, since the "print" method in Prolog automatically handles converting the objects into their string representations.