-
Notifications
You must be signed in to change notification settings - Fork 428
End to End Encryption
The e2e encryption is designed to have multiple versions. This allows us to obsolete a version for encryption while still allowing decryption of files encrypted using obsolete versions. It works by writing the version used to encrypt as the first 32 bits of the file. During decryption the version is read back and we route the file to the correct decryption library.
V1 uses an AES-256 cipher in CTR mode signed with an HMAC using SHA-512.
The AES and HMAC keys are generated from a user supplied password and a random 256bit per-file salt using scrypt with 2^18 iterations. This process takes ~1s. The number of iterations is encoded in the message header as plaintext and used during decryption. This allows us to increase this number in the future without breaking backward compatibility. The random salt is also encoded in the header as plaintext.
+--------+ Key Generation +-------------+
| passwd +---+ +--> | AESKey(256) |
+--------+ | +--------+ | +-------------+
+-> | scrypt +-----+
+---------------+ | +--------+ | +--------------+
| randSalt(256) +---+ +--> | HMACKey(256) |
+---------------+ +--------------+
The 256 bit AES key and a random per-file IV is used in CTR mode to encrypt the file. The random IV is written as plaintext to the header.
The iterations, random salt, random IV, and encrypted message are hashed using an SHA-512 HMAC keyed using a 256bit key. The result is appended to the end of the message.
Message Format
+--------------------------------------------------------------------+
| Version | scryptIterations | randSalt | randIV | cipherText | hmac |
+--------------------------------------------------------------------+
(32) (32) (256) (128) (varies) (512)
Decryption starts by parsing the scrypt iterations, salt, and IV from the file. The salt, iterations, and user's password are used to generate the AES and HMAC keys. Exactly the same as during encryption. The entire file is then written to a temp file while the HMAC is recomputed. The result is compared with the last 512 bits to ensure the file hasn't been altered and the password the user supplied is correct. If nothing is wrong, the AES key and IV are used to decrypt the temp file.