Security Model

Local-Only Architecture

Every operation in PRISM runs entirely on your device. No certificates, private keys, CSRs, PFX files, or any other cryptographic material is ever transmitted to an external server. The only outbound network requests are a periodic version check and, optionally, direct API calls to a ClearPass server you configure.

Certificate Vault Modes

The Certificate Bundle feature lets you group lifecycle files (CSR, private key, signed certificate, chain, PFX) under one inventory entry. Three storage modes are available:

Metadata Only

No files are stored by the app. Certificate details (subject, issuer, expiry, SANs) are tracked in a local JSON database. Your files remain wherever you originally saved them.

Master Password Vault

Uses two-layer envelope encryption:

• App-level key derivation: PBKDF2-SHA256 with 600,000 iterations (OWASP recommended) and a 32-byte random app salt. Derives a MasterKey that is held in memory only — never written to disk.
• Per-entry VaultKey: A fully random 256-bit key is generated for each inventory entry and stored AES-256-GCM encrypted with the MasterKey as vault_key.enc. File encryption keys have maximum entropy independent of password strength.
• File encryption: AES-256-GCM with a random nonce per file, keyed with the per-entry VaultKey.
• Password verification: A known constant is AES-256-GCM encrypted with the MasterKey and stored as app.verifier.enc. Correct password is confirmed by successful decryption — the password itself is never stored.
• Password change: Re-deriving the MasterKey and re-encrypting only the vault_key.enc files is sufficient — the underlying file blobs are untouched.
• Recovery: None. If you forget the vault password, the encrypted files cannot be decrypted by anyone, including the developer. There is no reset mechanism.
• Storage location: ~/Library/Application Support/tech.cmdlab.prism/vault/ — file permissions set to 0600/0700.

Keychain Vault

• Key storage: A 256-bit AES key is generated once and stored in the macOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly.
• Sensitive files (private key, PFX): encrypted with AES-256-GCM using the Keychain key.
• Non-sensitive files (CSR, signed certificate, chain): stored as file path references — files remain in their original location on disk.
• Protection level: The vault key is accessible to any process running as your macOS user account when the screen is unlocked. Anyone with your macOS login credentials can access the vault.

Cryptographic Implementation

PRISM uses standard cryptographic libraries that are part of the macOS operating system. No custom cipher implementations, custom padding schemes, or non-standard key derivation functions are used. This means security properties depend on the correctness of these well-established, widely-audited system libraries — not on any code written specifically for PRISM.

What Is NOT Protected

• The inventory metadata database (inventory.json) is stored as plain JSON. It contains certificate details (subject, issuer, expiry, SANs) but not key material. File permissions are set to 0600.
• Path references in Keychain and Metadata Only modes point to files outside the app's vault. If those files are moved, deleted, or accessed by other processes, the app has no control over that.
• The app does not prevent screen capture, memory inspection, or access by processes running under the same user account.

Intended Use

PRISM is designed for individual practitioners and small teams managing certificates in development, staging, and professional environments. It is appropriate for storing private keys associated with certificates that can be revoked and reissued if compromised.

PRISM is not a replacement for a Hardware Security Module (HSM), enterprise Key Management System (KMS), or any system subject to compliance mandates (PCI-DSS, HIPAA, FedRAMP, etc.) that require dedicated key custody controls.

Compliance & Export Controls

PRISM uses only standard, publicly available cryptographic algorithms — RSA, ECDSA (P-256/P-384/P-521), AES-256-GCM, SHA-256, and PBKDF2-SHA256. These are provided exclusively by Apple's Security framework and CommonCrypto, both of which are part of macOS. No custom cipher implementations are included.

Under U.S. Export Administration Regulations (EAR), PRISM qualifies as mass-market encryption software under ECCN 5D992.c and is eligible for the License Exception ENC. This means:

• No BIS notification or filing is required before download or distribution.
• No annual encryption registration report (SNAP-R) is required.
• No export license is required for distribution to most destinations.

The following notices apply to all users:

• PRISM generates certificates for local, development, and internal use only. Certificates produced by PRISM are self-signed or signed by a local Certificate Authority and are not publicly trusted by browsers or operating systems.
• Private keys and CA roots never leave your machine. No cryptographic material is transmitted to any external server.
• You are responsible for protecting your keys and for complying with any regulations, policies, or compliance requirements applicable to your environment.
• This software uses standard cryptography and is not subject to U.S. encryption export notification requirements.

Developer Disclaimer