Cryptography in Kullo

Basic principles

Choice of algorithms

Whenever we write about symmetric or asymmetric encryption or signatures, we mean the following algorithms, modes and parameters:

Uses of cryptography

Initialization vectors (IVs)

When we use symmetric encryption, we generally use a random IV of 128 bits. We prepend this IV to the ciphertext, so the first 16 bytes of a symmetric ciphertext must be used as IV for decryption of the following data.

There are two exceptions to this rule: The content and attachments fields of messages use fixed IVs. See Message format for details. This is secure because with GCM, reuse is only a problem if both key and IV are reused.


Read about key hierarchy, generation and protection in Kullo: Cryptographic keys. Private keys and the privateDataKey must be encrypted with the MasterKey before being uploaded.

The process of changing keys, for example in the event of key compromise, is described in Changing keys. However, none of this is finalized or implemented yet.


Read about the encryption of messages in the Message format reference.