Skip to content

Encryption

Jump to bottom
Juan Wajnerman edited this page Jan 28, 2018 · 1 revision

Values in the session can be encrypted. To support different types of encrypted values, the data to be encrypted is first encoded as JSON.

We use NaCl as the basis for encryption. It provides public key cryptography based on elliptic curves.

Then, an encryption "box" is constructed with the following structure:

[
  server_public_key,
  nonce_base,
  [
    [recipient_1_public_key, data_1]
    [recipient_2_public_key, data_2]
    ...
  ]
]

where:

  • server_public_key: Is the public part of NaCl key pair used by the server to encrypt the values (32 bytes).
  • nonce_base: These are the first 20 bytes of the nonce used to encrypt the data for each recipient.
  • recipient_N_public_key: The public key of each recipient (32 bytes)
  • data_N: The data encrypted for each recipient

For each recipient, the data is encrypted using the standard NaCl crypto_box routine. The salt is constructed by appending the index of the recipient converted to ASCII and padded with zeros. For example, the nonce for the first recipient will be nonce_base + "0000", the nonce for the second recipient will be nonce_base + "0001", etc.

The box is then encoded using MessagePack format, escaped in Base64 and finally inserted in a JSON object with the following structure:

{
  "type": "encrypted",
  "version": "1",
  "data": "mKCCJYca/J7IE... ...Cxnylaip/4BGnc="
}
Clone this wiki locally