2
Encryption format
rugk edited this page 2018-03-02 16:36:26 +01:00
Table of Contents
Data passed in
The following data is what we pass in
paste_password: UTF-8 string
paste_data: UTF-8 text
Process data
If paste_password is not set:
paste_passphrase = base64(random(32)) # 32 bytes
if a paste_password has been specified:
paste_passphrase = base64(random(32)) + hex(sha256(paste_password))
Processing of the paste_data:
paste_blob = base64(zlib.compress(paste_data))
The paste_blob is passed base64 encoded to the AES function.
Because of a bug in the deflate algorithm used in PrivateBin you cannot use a standard-conform deflate algorithm for that.
Key generation for encryption (PBKDF2)
kdf_salt = random(7) - 7 bytes **<<< does this need to be base64 encoded?**
kdf_iterations = 1000
kdf_keysize = 256 # bits of resulting kdf_key
kdf_key = PBKDF2HMAC(SHA256, kdf_keysize, kdf_salt, paste_password)
Does the kdf_key need to be base64 encoded to pass it into AES?
Encryption
cipher_iv = random(16) # 128 bit **<<<< does this need to be base64 encoded passing it into the AES function?**
cipher_strength = 128
cipher_associated_data = ""
cipher_text = Cipher(AES(kdf_key), GCM(iv, cipher_associated_data), paste_blob)
cipher_data = {"iv": cipher_iv,
"v": 1,
"iter": kdf_iterations,
"ks": kdf_keysize,
"ts": cipher_strength,
"mode": cipher_mode,
"adata": cipher_associated_data,
"cipher": cipher_algo,
"salt": kdf_salt,
"ct": cipher_text}