Update architecture.rst (#50)

ho-oto · infeo · web-flow · commit 5bdbb78dd831 · 2025-05-05T12:21:54.000+02:00
Co-authored-by: Armin Schrenk &lt;armin.schrenk@skymatic.de&gt;
diff --git a/source/security/architecture.rst b/source/security/architecture.rst
@@ -59,7 +59,7 @@ When opening a vault, the following steps have to be followed:
 
 #. Decode ``vault.cryptomator`` without verification.
 #. Read ``kid`` header and, depending on its value, retrieve the masterkey from the specified location.
-#. Verify the JWT signature using the masterkey.
+#. Verify the JWT signature using the concatenation of encryption masterkey and MAC masterkey.
 #. Make sure ``format`` and ``cipherCombo`` are supported.
 
 
@@ -125,7 +125,7 @@ The JWE's decrypted payload holds a single value, which can then be consumed by
 Masterkey File
 ^^^^^^^^^^^^^^
 
-Alternatively, for normal password-protected vaults, Cryptomator will derive a :abbr:`KEK (Key-encryption key)` via `scrypt <https://tools.ietf.org/html/rfc7914>`_, encrypt the masterkeys using `AES Key Wrap (RFC 3394) <https://tools.ietf.org/html/rfc3394>`_,
+Alternatively, for normal password-protected vaults, Cryptomator will derive a 32byte long :abbr:`KEK (Key-encryption key)` via `scrypt <https://tools.ietf.org/html/rfc7914>`_ (non-parallel), encrypt both masterkeys using `AES Key Wrap (RFC 3394) <https://tools.ietf.org/html/rfc3394>`_,
 and store the results together with the key derivation parameters in a JSON file:
 
 .. code-block:: console
@@ -160,4 +160,4 @@ When unlocking a vault the KEK is used to unwrap (i.e. decrypt) the stored maste
 .. image:: ../img/security/masterkey-decryption@2x.png
     :alt: Masterkey Decryption
     :width: 440px
-    :align: center
+    :align: center
diff --git a/source/security/vault.rst b/source/security/vault.rst
@@ -56,7 +56,7 @@ The payload of the last chunk may be smaller than 32 KiB.
     cleartextChunks[] := split(cleartext, 32KiB)
     for (int i = 0; i < length(cleartextChunks); i++) {
         chunkNonce := createRandomBytes(12)
-        aad := [bigEndian(i), headerNonce]
+        aad := bigEndian(i) . headerNonce
         ciphertextPayload, tag := aesGcm(cleartextChunks[i], contentKey, chunkNonce, aad)
         ciphertextChunks[i] := chunkNonce . ciphertextPayload . tag
     }

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ The payload of the last chunk may be smaller than 32 KiB.`
`56`	`56`	`cleartextChunks[] := split(cleartext, 32KiB)`
`57`	`57`	`for (int i = 0; i < length(cleartextChunks); i++) {`
`58`	`58`	`chunkNonce := createRandomBytes(12)`
`59`		`- aad := [bigEndian(i), headerNonce]`
	`59`	`+ aad := bigEndian(i) . headerNonce`
`60`	`60`	`ciphertextPayload, tag := aesGcm(cleartextChunks[i], contentKey, chunkNonce, aad)`
`61`	`61`	`ciphertextChunks[i] := chunkNonce . ciphertextPayload . tag`
`62`	`62`	`}`