--- /dev/null
+Unless --with-password-encryption=old is active, account passwords are
+stored encrypted using AES-256-CBC, using following scheme:
+----------------------------------------------------------------------
+
+Encryption/decryption key is either PASSCRYPT_KEY, or user-selected master password.
+
+We take the digest of the key using SHA-512, which gives us a 64 bytes
+long hash.
+
+The first half of the hash is XORed with the second (1st byte with
+33rd, 2nd with 34th, etc.). This is gives us 32 bytes, which is
+ey length required for AES-256-CBC.
+
+IV for the cipher is filled with random bytes.
+
+
+Encryption
+----------
+
+We prepare a buffer 128+blocksize bytes long, with one block of random
+data at the beginning, followed by the password we want to encrypt,
+rest is padded with zero bytes.
+
+We encrypt the buffer.
+
+We base64-encode the ciphertext, and store it as:
+"{algorithm}encodedciphertext"
+
+
+Decryption
+----------
+We strip the "{algorithm}" (after verifying that it matches what we
+expect) and base64-decode the remaining ciphertext.
+
+We decrypt the ciphertext.
+
+We discard the first block, and the rest is a zero-terminated string
+with our password.
+
+
+Why the random block at the beginning?
+--------------------------------------
+
+We are taking advantage of property of CBC mode where decryption with
+a wrong IV results in only first block being garbled. Therefore we
+prepend a random block to our plaintext before encryption, and discard
+first block from plaintext after decryption.
projects / claws.git / blobdiff