A comprehensive cybersecurity demonstration platform featuring military-grade encryption, digital signatures, multi-factor authentication, WebAuthn/Passkeys, and role-based access control.
- Overview
- Features
- Architecture
- Security Implementation
- User Roles
- Quick Start
- API Reference
- Demo Accounts
- Testing
IronVault is a secure credential management system designed to demonstrate enterprise-level security concepts in a military-themed context. The platform showcases real-world implementations of cryptographic protocols, secure authentication mechanisms, and access control patterns.
- Encryption at Rest: All sensitive data encrypted with AES-256-CBC
- Digital Signatures: Mission documents signed with RSA-2048-PSS
- Multi-Factor Authentication: Email OTP + WebAuthn/Passkey support
- Role-Based Access Control: Hierarchical permission system
- Complete Audit Trail: All security events logged and monitored
| Feature | Implementation | Purpose |
|---|---|---|
| Password Security | PBKDF2-SHA256 (100K iterations) | Secure password storage |
| Data Encryption | AES-256-CBC with random IV | Protect sensitive data |
| Digital Signatures | RSA-2048-PSS | Document authenticity |
| Token Auth | JWT with HS256 | Stateless authentication |
| MFA | Email OTP (6-digit, 5-min expiry) | Second factor verification |
| Passkeys | WebAuthn/FIDO2 | Passwordless authentication |
Field Operative:
- Personal encrypted credential vault
- CSPRNG-based secure password generation
- View intel from Commanding Officers
- WebAuthn passkey registration
Commanding Officer:
- Issue encrypted intel directives
- View operative missions
- Create signed operations
- Team management
Central Command (HQ):
- Complete personnel oversight
- Audit log monitoring (War Room)
- System-wide visibility
- Security event filtering
IronVault/
โโโ backend/ # Flask API Server
โ โโโ app.py # Application entry point
โ โโโ config.py # Configuration & key paths
โ โโโ models.py # Database schema & operations
โ โโโ routes/
โ โ โโโ auth.py # Authentication & MFA
โ โ โโโ credentials.py # Operative vault CRUD
โ โ โโโ missions.py # Mission management
โ โ โโโ intel.py # Intel & operations
โ โ โโโ admin.py # HQ administration
โ โโโ utils/
โ โ โโโ access_control.py # RBAC & JWT middleware
โ โ โโโ crypto.py # Encryption utilities
โ โ โโโ otp.py # OTP generation/verification
โ โ โโโ webauthn_utils.py # Passkey utilities
โ โโโ keys/ # Auto-generated keys (gitignored)
โ
โโโ frontend/ # Next.js 15 Web App
โโโ src/
โโโ app/
โ โโโ page.tsx # Login page
โ โโโ signup/ # Registration
โ โโโ reset-password/ # Password recovery
โ โโโ profile/ # User settings & passkeys
โ โโโ operative/ # Field operative dashboards
โ โโโ co/ # Commanding officer views
โ โโโ hq/ # Central command panels
โโโ components/ # Reusable UI components
โโโ lib/
โโโ api.ts # API client
# PBKDF2-SHA256 with high iteration count
password_hash = hashlib.pbkdf2_hmac(
'sha256',
password.encode(),
salt,
100000 # 100K iterations for brute-force resistance
)# Encrypt sensitive data
cipher = Cipher(
algorithms.AES(key), # 256-bit key
modes.CBC(iv), # Random 16-byte IV
backend=default_backend()
)
# IV prepended to ciphertext for decryption# Sign mission documents with PSS padding
signature = private_key.sign(
document_bytes,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)1. User submits credentials
2. Server validates password hash
3. OTP sent to registered email
4. User submits OTP
5. JWT issued with user claims
6. Token included in subsequent requests
Registration:
1. Server generates challenge
2. Client creates credential (biometric/security key)
3. Server stores public key
Authentication:
1. Server sends challenge
2. Client signs with private key
3. Server verifies signature
| Role | Code | Description | Clearance |
|---|---|---|---|
| Field Operative | operative |
Field Agent | Level 1 |
| Commanding Officer | co |
Unit Commander | Level 2 |
| Central Command | hq |
HQ Administrator | Level 3 |
| Resource | Operative | CO | HQ |
|---|---|---|---|
| Credentials Vault | CRUD (own) | โ | โ |
| Missions | CRUD (own) | Read/Create | Read |
| Intel Reports | Read | CRUD | Read |
| Operations | โ | Create/Read | Read |
| Personnel | โ | โ | Read |
| Audit Logs | โ | โ | Read |
- Python 3.10+
- Node.js 18+
- Gmail account (for OTP emails)
# Navigate to backend
cd backend
# Install dependencies
pip install -r requirements.txt
# Create .env file for email
echo "EMAIL_USER=your-email@gmail.com" > .env
echo "EMAIL_PASS=your-app-password" >> .env
# Start server
python app.pyServer runs on http://127.0.0.1:5000
First Run: Automatically generates:
- ๐ RSA-2048 key pair (
keys/private_key.pem,keys/public_key.pem)- ๐ AES-256 key (
keys/aes_key.key)- ๐๏ธ SQLite database (
ironvault.db)- ๐ค Demo user accounts
# Navigate to frontend
cd frontend
# Install dependencies
npm install
# Start development server
npm run devApp runs on http://localhost:3000
- Enable 2-Factor Authentication on your Gmail
- Go to Google App Passwords
- Generate a new app password for "Mail"
- Use this password in the
.envfile
| Method | Endpoint | Description |
|---|---|---|
POST |
/auth/register |
Create new user |
POST |
/auth/login |
Initiate login (triggers OTP) |
POST |
/auth/verify-otp |
Verify OTP and get JWT |
GET |
/auth/me |
Get current user info |
POST |
/auth/change-password |
Change password |
POST |
/auth/request-password-reset |
Request reset OTP |
POST |
/auth/reset-password |
Reset with OTP |
| Method | Endpoint | Description |
|---|---|---|
POST |
/auth/webauthn/register/options |
Get registration options |
POST |
/auth/webauthn/register/verify |
Verify registration |
POST |
/auth/webauthn/login/options |
Get authentication options |
POST |
/auth/webauthn/login/verify |
Verify authentication |
| Method | Endpoint | Description | Role |
|---|---|---|---|
GET/POST |
/credentials |
Credential vault | Operative |
GET/POST |
/missions |
Mission assignments | All |
GET/POST |
/intel |
Intel reports | CO/HQ |
POST |
/intel/operation |
Create operation | CO |
GET |
/admin/users |
List all users | HQ |
GET |
/admin/audit-logs |
Audit trail | HQ |
| Username | Password | Role | Description |
|---|---|---|---|
hq_admin |
admin123 |
HQ | Central Command access |
alpha_co |
manager123 |
CO | Commanding Officer |
ghost_op |
player123 |
Operative | Field Operative |
Note: OTP verification required for all logins
# Login with correct credentials โ Success
# Login with wrong password โ "Invalid credentials"# Add credential to vault
# Check database โ encrypted content (base64)
# View in app โ decrypted plaintext# Create operation as CO
# View operation details โ signature present
# Verify signature โ "Valid"# Login โ OTP sent to email
# Submit correct OTP โ Access granted
# Submit wrong OTP โ "Invalid OTP"
# Wait 5 minutes โ "OTP expired"# Operative accessing /admin โ 403 Forbidden
# CO accessing /credentials โ 403 Forbidden
# HQ accessing /admin โ 200 OK# Create mission with signature
# Modify mission data in DB directly
# Verify signature โ "Invalid signature detected"# Register passkey in profile
# Logout and login with passkey
# No password required โ Access granted# Open SQLite database
sqlite3 backend/ironvault.db
# View users (passwords are hashed)
SELECT username, role, email FROM users;
# View encrypted credentials
SELECT target_system, encrypted_password FROM credentials;
# View audit logs
SELECT * FROM audit_logs ORDER BY created_at DESC LIMIT 10;| File | Purpose |
|---|---|
backend/utils/crypto.py |
Encryption, signing, hashing |
backend/utils/access_control.py |
JWT & RBAC middleware |
backend/utils/otp.py |
OTP generation & verification |
backend/models.py |
Database schema & audit logging |
frontend/src/lib/api.ts |
API client with all endpoints |
- Keys: Auto-generated on first run, stored in
backend/keys/ - Database: SQLite for demo, use PostgreSQL in production
- HTTPS: Use HTTPS in production for encrypted transit
- Rate Limiting: Implement for production deployment
- Key Rotation: Implement periodic key rotation for production
This project is licensed under the MIT License - see the LICENSE file for details.