- Don't roll your own algorithm! We use only established and battle-tested algorithms and follow recommendations from well-respected entities (for example ENISA and ECRYPT, NIST, ANSSI, BSI, ...).
- Don't roll your own implementation! In our own client, we use Botan for everything but TLS. The latter is implemented in platform-specific ways: We use Secure Channel on Windows, Secure Transport on macOS and iOS, OpenSSL on Linux and javax.net.ssl on Android.
- Keep it simple! For example, we use authenticated encryption (GCM) instead of implementing encrypt-then-MAC or MAC-then-encrypt.
Choice of algorithms
Whenever we write about symmetric or asymmetric encryption or signatures, we mean the following algorithms, modes and parameters:
- symmetric encryption: AES-256 in GCM mode
- asymmetric encryption: RSA-4096 with OAEP(SHA-512) padding
- asymmetric signatures: RSA-4096 with PSS(SHA-512) padding
Uses of cryptography
Initialization vectors (IVs)
When we use symmetric encryption, we generally use a random IV of 128 bits. We prepend this IV to the ciphertext, so the first 16 bytes of a symmetric ciphertext must be used as IV for decryption of the following data.
There are two exceptions to this rule:
attachments fields of messages use fixed IVs.
See Message format for details.
This is secure because with GCM, reuse is only a problem if both key and IV are reused.
Read about key hierarchy, generation and protection in Kullo: Cryptographic keys. Private keys and the privateDataKey must be encrypted with the MasterKey before being uploaded.
The process of changing keys, for example in the event of key compromise, is described in Changing keys. However, none of this is finalized or implemented yet.
Read about the encryption of messages in the Message format reference.