Described how to encrypt data using a password - notably we care about encrypting keys in the case they have to be stored on disk.
We need a specification for encryption used in Yoroi so that
- We can reference it in other specifications that need to access an encryption functionality ("encrypt in the same way mentioned in the encryption spec")
- So that other wallets can implement the same encryption scheme for better ecosystem compatibility (ex: export your master key from one wallet and import it in another)
- We can easily explain to engineers how the encryption works
HMAC [RFC 2104] takes a password and a hash function (in this case, SHA512 [RFC 6234]) and computes the hash of the password in a way that is secure against attacks that work against the naive solution such as length extension attacks.
PBKDF2 [RFC 8018 - PKCS#5 section 5.2]
PBKDF2 is a way to recursively compute a hash function for a specified number of iterations to obtain a new key of a specified length.
ChaCha20Poly1305 [RFC 8439]
ChaCha20 is a cipher (algorithm for encrypting/decrypting)
Poly1305 is MAC (can check authenticity and integrity of a message)
ChaCha20Poly1305 combines these together to give an algorithm that both encrypts the data and allows to check authenticity and integrity of a result (satisfied AEAD)
- Call
PBKDF2withHMAC-SHA512applied to a user-provided password as the Pseudo-Random Function- A randomly-initialized 32-byte array as the salt
19162iterations- Key size of 32 bytes
- Call
ChaCha20Poly1305encrypt with- Result of
PBKDF2as the key - A randomly-initialized 12-byte array as the nonce
- Tag size of 16 bytes
- An empty additional authenticated data (AAD) field
- Result of
- Return a byte array representing the concatenation of
- The salt
- The nonce
- The MAC from
ChaCha20Poly1305 - The encrypted byte array from
ChaCha20Poly1305
- Deconstruct the byte array returned from encryption
- Construct the key using
PBKDF2same as when doing encryption - Call
ChaCha20Poly1305decrypt and check if tag matches