Since the password you choose at registration time is used during the encryption process (although indirectly), it’s vital that it’s never sent or stored on the server in an easily crackable form. To help with this goal, Insomnia uses the Secure Remote Passwords (SRP) encrypted key exchange protocol.
You can read more about the exact SRP implementation that Insomnia paid plans use in RFC-2945.
For a detailed description of SRP, see Mozilla’s Node SRP.
These are the steps taken on the client during account creation.
PRV_Accountkeypair for RSA-OAEP SHA-256
SEC_PWD_Authusing the following steps
SLT_Auth1with email address using HKDF SHA-256 to form a new salt
SLT_Auth_2, email address,
M_Accountobject to server for creation
Once the account is created, the server will send a verification email to the user. Once the user receives this email, they can attempt to log in.
These are the steps taken on the client during login.
SEC_PWD_Authusing same steps as in Account Creation
SLT_Auth_2to perform SRP exchange
Klocally to use as session key
Now that we know how signup and authentication are performed, we can talk about data encryption.