Insomnia logo
  • Documentation
  • Download
  • Upgrade
    • Introduction to Insomnia
    • Install Insomnia
    • Send Your First Request
    • Import and Export Data
    • Environment Variables
    • Insomnia Workspaces
    • Insomnia Accounts
    • Forgotten Passwords
    • Change Password
    • Insomnia Teams
    • Insomnia Subscriptions
    • Insomnia Subscription Management
    • Requests
    • Responses
    • Request Collections
    • Request Timeouts
    • Chaining Requests
    • Post CSV Data
    • SOAP Requests
    • gRPC
    • WebSocket Support
    • Get Started with Documents
    • Design Documents
    • Linting
    • GraphQL for OpenAPI
    • Migrate from Designer
    • Unit Testing
    • Stress Testing
    • Sign into Insomnia Cloud
    • Sync Collections with Insomnia Cloud
    • Teams
    • End to End Data Encryption
    • Sync with Git
    • Key Security Features
    • Security Standards
    • Signup and Authentication
    • Analytics Collected
    • Authentication
    • Client Certificates
    • Generate Code Snippet
    • Cookie Management
    • Encoding
    • GraphQL Queries
    • Run in Insomnia Button
    • Key Maps
    • HTTP(S) Proxy
    • Insomnia Configuration File
    • Introduction to Plugins
    • Context Object Reference
    • Template Tags
    • Hooks and Actions
    • Custom Themes
    • FAQ
    • Application Data
    • SSL Validation
    • Password Recovery
    • Introduction to Inso CLI
    • Install Inso CLI
    • CLI Command Reference
      • inso generate config
      • inso run test
      • inso lint spec
      • inso export spec
      • inso script
      • OpenAPI Spec Reference
    • Configuration
    • Inso CLI on Docker
    • Continuous Integration
    • Publish API to Dev Portal
    • Kong Declarative Config (for decK)
    • Kong for Kubernetes

Signup and Authentication

Since the password you choose at registration time is used during the encryption process (although indirectly), it’s vital that it’s never sent or stored on the server in an easily crackable form. To help with this goal, Insomnia uses the Secure Remote Passwords (SRP) encrypted key exchange protocol.

You can read more about the exact SRP implementation that Insomnia paid plans use in RFC-2945.

For a detailed description of SRP, see Mozilla’s Node SRP.

How Account Creation Works

These are the steps taken on the client during account creation.

  1. Randomly generate 256 bit keys and salts SYM_Account, SLT_Auth_1, SLT_Auth_2, SLT_Encryption
  2. Generate PUB_Account/PRV_Account keypair for RSA-OAEP SHA-256
  3. Generate SEC_PWD_Auth using the following steps
    1. Combine SLT_Auth1 with email address using HKDF SHA-256 to form a new salt SLT_TMP_1
    2. Run 100,000 iterations of PBKDF2 SHA-256 with SLT_TMP_1
  4. Generate SEC_PWD_Enc using the following steps
    1. Combine SLT_Enc with email address using HKDF SHA-256 to form a new salt SLT_TMP_2
    2. Run 100,000 iterations of PBKDF2 SHA-256 with SLT_TMP_2
  5. Generate SRP_Verifier using SLT_Auth_2, email address, SEC_PWD_Auth
  6. Encrypt SYM_Account using SEC_PWD
  7. Encrypt PRV_Account using SYM_Account
  8. Send M_Account object to server for creation

Once the account is created, the server will send a verification email to the user. Once the user receives this email, they can attempt to log in.

How Account Login Works

These are the steps taken on the client during login.

  1. Derive SEC_PWD_Auth using same steps as in Account Creation
  2. Use SLT_Auth_2 to perform SRP exchange
  3. Store SRP-generated K locally to use as session key

Now that we know how signup and authentication are performed, we can talk about data encryption.

Edit this page
Report an issue
    COMPANY
  • Insomnia
  • Blog
  • Changelog
  • Pricing
  • Careers
    PRODUCTS
  • Insomnia
  • Inso (CLI)
    RESOURCES
  • Sign In
  • Documentation
  • Support
    LEGAL
  • Privacy Policy
  • Terms & Conditions
© Kong Inc. 2021