Encryption questions: Key storage, decryption process, and others

I Have a Question
2

Hi @amirstep,
Please see my answers below:

  1. Data encryption/decryption:

Encrypting:

  • Generate a random 64-bit salt (S)
  • Generate a 128-bit key (K) using PBKDF2 with S and the user’s passphrase (P), 5000 iterations, and HMAC-SHA256 for PRF
  • Generate a random 128-bit initialization vector (IV)
  • Compute a hash (H) of the file data using SHA256
  • Plaintext (PT) is: (file data + H + PKCS #7 padding to the next multiple of 16 bytes)
  • Generate the ciphertext (CT) using AES-CBC to encrypt PT using the K and IV
  • Get the 8-bit internal odrive Encryption version designation (V)
  • Write to output file V+S+IV+CT

Decrypting:

  • Read V, S, and IV from the beginning of the encrypted file
  • Derive K using S and P
  • Decrypt the CT using K and IV to plaintext (PT)
  • Unpad the PT
  • Strip H from the end of PT
  • Calculate new hash (H2) of the resulting PT and compare to H
  1. AES is symmetric encryption

  1. The key is never stored. The key is derived from the salt and passphrase, as described above. The passphrase is stored on the local system, once you enter it for the first time. It is stored to prevent needing to continually enter the passphrase.

    The passphrase is kept in the keychain on Mac and in an encrypted registry entry on Windows using Microsoft’s CryptoAPI.

  1. File names and folder name encryption/decryption

Encrypting:

  • Generate a random 64-bit salt (S)
  • Generate a 128-bit key ( K ) using PBKDF2 with S and the user’s passphrase (P), 5000 iterations, and HMAC-SHA256 for PRF
  • Generate a random 128-bit initialization vector (IV)
  • Plaintext (PT) is: (4 zero bytes + the filename + PKCS #7 padding to the next multiple of 16 bytes)
  • Get the ciphertext (CT) using AES-CBC to encrypt the PT using the K and IV
  • Get the 8-bit internal odrive Encryption version designation (V)
  • URL-safe, base64 encode (V+S+IV+CT)

Decrypting:

  • Decode URL-safe, base64 filename
  • Read V, S, and IV from the beginning of the decoded filename
  • Derive K using S and P
  • Decrypt the CT using K and IV
  • Check that the new filename starts with 4 zero bytes
  • Strip zero bytes and padding
  1. Files sizes increase due to the additional information prepended to the ciphertext and the hash appended to the plaintext before encrypting. The plaintext also needs to be padded to a multiple of the block size, and the amount of padding will vary, depending on the size of the original file.

Python-based decryption utility:

1 Like