DRACOON uses for its client-side encryption a combination of symmetric and asymmetric cryptography (a.k.a. "hybrid cryptography").
Each user owns an asymmetric key pair that has been created on client side. The private key is encrypted with a password and uploaded alongside the public key to DRACOON.
When uploading a file, the plain data is encrypted symmetrically with a newly generated random key ("FileKey"). The FileKey is then encrypted asymmetrically with the authorized users' public keys – these encrypted copies are referred to as "UserFileKey" since it represents a FileKey encrypted for one specific user.
Downloading a file reverses the described process: The user's private key is downloaded and decrypted with the user's password. The decrypted private key decrypts the UserFileKey so that the plain FileKey is available. During a last step, the FileKey is used to decrypt the file.
In order to facilitate the use of different crypto algorithms and key lengths, we introduced crypto versions. Versions are defined as a single uppercase char in lexicographic order. So the first crypto version available is 'A'.
Symmetric and asymmetric crypto operations are versioned separately.
The current versions are:
- symmetric: A
- asymmetric: A
Each user owns a key pair that needs to be created on client side.
Key Pair version A uses RSA-2048 Bit keys. Both keys – private key and public key – are stored separetly in PKCS#8 format. Please note that the private key needs to be encrypted with a pass phrase.
Symmetric encryption of files
Files are encrypted with a randomly generated key ("FileKey") on client side.
Symmetric version A uses AES-256-GCM to encrypt files. This crypto algorithm provides an additional authentication information ("authentication tag") that is used to detect manipulated files.
Asymmetric encryption of FileKeys
FileKeys need to be encrypted with users' public keys before uploading them to DRACOON.
The symmetric secret FileKey is encrypted with a user's public RSA-2048 Bit key. Version A uses the OAEP padding with two different hash functions: SHA-256 and SHA-1 (for MGF1).