rncryptor / rncryptor-spec Goto Github PK
View Code? Open in Web Editor NEWSpecifications and test vectors for RNCryptor file format
Specifications and test vectors for RNCryptor file format
If the padding is application specific the spec should at least warn implementiere about it. Defining a padding as part of the format might be better.
Why is the EncryptionKey not part of the HMAC?
So if the HAMC is checked a wrong EncryptionKey would prevent the encryption.
HMAC = HMAC(Header || Ciphertext, HMACKey, SHA-256)
HMAC = HMAC(Header || Ciphertext || EncryptionKey, HMACKey, SHA-256)
This draft is extremely close to what RNCryptor already does (since it's basically what every secure format based on CBC is going to look like…)
In considering a v4 format, make sure that RNCyrptor is explicitly derived from one of these modes (probably AEAD_AES_256_CBC_HMAC_SHA384; maybe AEAD_AES_256_CBC_HMAC_SHA512).
Single PBKDF2 w/ single salt.
Add length to HMAC data.
Currently there are two iterations of PBKDF2, one for encryption, one for HMAC. This isn't necessary. We can create one larger MCK (master content key) and break that up into smaller keys as needed. Creating a MCK is a better way to think about the problem (and only requires one salt, saving us 8 bytes in the format).
Look at RFC-5869 (HKDF) in order to expand IV and both keys from a single salt+password.
Also http://crypto.stackexchange.com/questions/12943/computing-iv-for-cbc-from-pbkdf2-hkdf
Currently, in order to determine if the password is correct, you have to HMAC the entire message. This has several problems:
Use password to generate a KEK. Wrap the CEK (and possibly HMAC-Key? IV?) in an encrypted bundle. When decrypting, use password to validate bundle rather than entire ciphertext.
Having considered RFC 3394, it is not currently favored (and appears somewhat pointless).
I saw that the V3 format is using SHA1 with 10,000 iterations for key derivation, which is rather far away from the current recommendation of 1,300,000 iterations. I read in your FAQs that the decision to hardcode the iterations is intentional to make the format interoperable, but since RNCryptor's pbkdf2 functionality is still used by apps in the app store, I'm wondering what the best approach would be to prevent these apps from relying on such a low iteration count.
Requirement: Must allow PBKDF2 iterations to be defined between 1,000 and 1,000,000 (10^6). Common values in 2013 go up to 100,000 (10^5), so we would like at least one more order of magnitude to be available without adjusting the format.
Take bits 4-6 of options
and make them log10(iterations)
(bit 6 is MSB). So 4 would be 1,000, 6 would be 1,000,000. If it is 0, then default to 10,000 (the current setting). Bit 7 is left as reserved (if the range needs to be expanded in the future, it could be redefined as part of this field, but for now it is designated as reserved).
This provides a range of [10:10^7] in powers of 10.
Add new 3- or 4-byte field for iterations, specified using bit 1 in options.
This provides a range of [0:2^24) or [0:2^32).
Advantages:
Disadvantages:
Since you need to run password derivation two times (HMAC and encryption key) the number of acceptable iterations must be half the number which would be possible. It would be better to either derive both keys from a single PBKDF2 procedure (allows key expansion) or from hash-deriving two keys from a single PBKDF2 master secret. The later has the additional advantage that the two different keys would contain a usage specific identifier (and not only the semantic free salt)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.