forked from TrueCloudLab/restic
Clarify use of poly1305
This commit is contained in:
parent
53ad706c6d
commit
02282a4fff
1 changed files with 12 additions and 3 deletions
|
@ -72,6 +72,16 @@ A repository can be initialized with the `restic init` command, e.g.:
|
||||||
Keys, Encryption and MAC
|
Keys, Encryption and MAC
|
||||||
------------------------
|
------------------------
|
||||||
|
|
||||||
|
All data stored by restic in the repository is encrypted with AES-256 in
|
||||||
|
counter mode and signed with Poly1305-AES. For encrypting new data first 16
|
||||||
|
bytes are read from a cryptographically secure pseudorandom number generator as
|
||||||
|
a random nonce. This is used both as the IV for counter mode and the nonce for
|
||||||
|
Poly1305. This operation needs three keys: A 32 byte for AES-256 for
|
||||||
|
encryption, a 16 byte AES key and a 16 byte key for Poly1305. For details see
|
||||||
|
the original paper[The Poly1305-AES message-authentication
|
||||||
|
code](http://cr.yp.to/mac/poly1305-20050329.pdf) by Dan Bernstein. The
|
||||||
|
ciphertext is stored as IV || CIPHERTEXT || MAC.
|
||||||
|
|
||||||
The directory `keys` contains key files. These are simple JSON documents which
|
The directory `keys` contains key files. These are simple JSON documents which
|
||||||
contain all data that is needed to derive the repository's master signing and
|
contain all data that is needed to derive the repository's master signing and
|
||||||
encryption keys from a user's password. The JSON document from the repository
|
encryption keys from a user's password. The JSON document from the repository
|
||||||
|
@ -97,9 +107,8 @@ repository password. This is then used with `scrypt`, a key derivation function
|
||||||
bytes. The first 32 bytes are used as the encryption key (for AES-256) and the
|
bytes. The first 32 bytes are used as the encryption key (for AES-256) and the
|
||||||
last 32 bytes are used as the signing key (for Poly1305-AES). These last 32
|
last 32 bytes are used as the signing key (for Poly1305-AES). These last 32
|
||||||
bytes are divided into a 16 byte AES key `k` followed by 16 bytes of secret key
|
bytes are divided into a 16 byte AES key `k` followed by 16 bytes of secret key
|
||||||
`r`. They key `r` is then masked for use with Poly1305. For details see the
|
`r`. They key `r` is then masked for use with Poly1305 (see the paper for
|
||||||
original paper [The Poly1305-AES message-authentication
|
details).
|
||||||
code](http://cr.yp.to/mac/poly1305-20050329.pdf) by Dan Bernstein.
|
|
||||||
|
|
||||||
This signing key is used to compute a MAC over the bytes contained in the
|
This signing key is used to compute a MAC over the bytes contained in the
|
||||||
JSON field `data` (after removing the Base64 encoding and not including the
|
JSON field `data` (after removing the Base64 encoding and not including the
|
||||||
|
|
Loading…
Reference in a new issue