A call for AEAD

[rugk]

For client-side encryption you use CCM, which is used in JSCL.
This is authenticated encryption (AEADS). GCM may just be more performant and you may switch (it's just one parameter in JSCL), but AFAIK it is not insecure.

According to your description you are using CBC with HMAC in a way that seems to be okay, but you should use authenticated encryption. Again e.g. GCM. It makes it much easier…
And simplicity is always good when it comes to using crypto.

E.g. OwnCloud had problems when they did not use AEADs…

Okay, no AEADs in older PHP versions, but you could e.g. use Libsodium or so…
At least when it is available.

[animalillo]

Yes, we use AES-256-CCM
No, it's not as simple as changing a parameter, since it would requiere vault regeneration and changing whole encryption code of the android app, which, believe me, it's pretty hard, and i don't think it's such a big performance implication.

Also if it's about performance, you should be thankful we use an slow algorythm as it takes longer to bruteforce!

So, as we don't currently have time to make such a huge change, i don't think we will think on changing the clientside encryption algorithm.

[brantje]

What @animalillo said. Also the browser extension has to be updated.
Also changing the encryption makes the app more error prone, since we have to check the encryption we used. If it's an old one update it. Not even speaking of the sharing part.

You're welcome to fork passman and make a PR.

[rugk]

I agree on all parts except this:

since we have to check the encryption we used. If it's an old one update it.

I think at some time you'll have to do that anyway. You can't really claim you can/should use the current encryption algorithm in 10 or 20 years. It likely is not broken, but better ones are available…
So it's always a good idea to have some way to check the "version" of the encryption algorithm of a vault or so. 😃