Signup and Authentication
Since the password you choose at registration time is used during the encryption process (although indirectly), it’s vital that it’s never sent or stored on the server in an easily crackable form. To help with this goal, Insomnia uses the Secure Remote Passwords (SRP) encrypted key exchange protocol.
You can read more about the exact SRP implementation that Insomnia paid plans use in RFC-2945.
For a detailed description of SRP, see Mozilla’s Node SRP.
How Account Creation Works
These are the steps taken on the client during account creation.
- Randomly generate 256 bit keys and salts
PRV_Account keypair for RSA-OAEP SHA-256
SEC_PWD_Auth using the following steps
SLT_Auth1 with email address using HKDF SHA-256 to form a new salt
- Run 100,000 iterations of PBKDF2 SHA-256 with SLT_TMP_1
- Generate SEC_PWD_Enc using the following steps
- Combine SLT_Enc with email address using HKDF SHA-256 to form a new salt
- Run 100,000 iterations of PBKDF2 SHA-256 with
- Generate SRP_Verifier using
SLT_Auth_2, email address,
- Encrypt SYM_Account using
- Encrypt PRV_Account using
M_Account object to server for creation
Once the account is created, the server will send a verification email to the user. Once the user receives this email, they can attempt to log in.
How Account Login Works
These are the steps taken on the client during login.
SEC_PWD_Auth using same steps as in Account Creation
SLT_Auth_2 to perform SRP exchange
- Store SRP-generated
K locally to use as session key
Now that we know how signup and authentication are performed, we can talk about data encryption.