BSafes Encryption Scheme
Table of contents
BSafes is a web app for teams and individuals to protect confidential data, sensitive information, take notes and more.
Team members share data and notes in a Team workspace, each individual has a Personal workspace.
1 Member authentication and key creation
1.1 One account could have as many members as needed.
1.2 Each member has a member name and password to authenticate himself or herself.
1.3 Every member could enable 2FA(2nd Factor Authentication).
1.4 Every member must create his or her own key, member key. The key is never sent to server.
1.5 Based on the member key, BSafes client software generate a 256-bit encryption key using PBKDF2 with 10,000 iterations and 1024-bit salt. The encryption key is never sent to server.
1.6 BSafes client software calculates a hash value for the encryption key using SHA-256, the hash value is sent to server in order to verify if the member enter the correct key when asked.
1.7 BSafes client software generates RSA 2048-bit public key and private key pair for the member. The private key is encrypted with the member’s encryption key and a unique iv using 256-bit AES. The public key and encrypted private key are both sent to and stored in server. Since server doesn’t know a member’s encryption key, server could not derive the member’s private key.
1.8 All keys are temporarily stored in member devices’ memory or web app local storage. Once the member log out, all keys are deleted from memory and app local storage.
2 Note encryption
2.1 Every note page is encrypted with a unique 256-bit note key. The note key is generated by BSafes client software when a member create a note page using PBKDF2 with 10,000 iterations and 1024-bit salt.
2.2 Every note key is encrypted with a workspace key and a unique iv using 256-bit AES-CBC. The encrypted note key and iv are sent to and stored in server alongside note data.
2.3 For a personal workspace, the workspace key is same as the member’s encryption key.
2.4 For a team workspace, the workspace key is distributed to team members via each team member’s public key.
3 Team workspace key
3.1 When a member creates a team, a workspace is created for the team. BSafes client software generates a 256-bit key for the team workspace using PBKDF2 with 10,000 iterations and 1,024-bit salt.
3.2 The team workspace key is encrypted using the member’s public key, the encrypted team workspace key is sent to and stored in server.
3.3 When the member accesses the the team workspace, the encrypted team workspace key is decrypted by the member’s private key.
3.4 With the team workspace key, the member could access all notes in the workspace.
4 Distributing team workspace key to team members
4.1 When a member create a team, the member’s device memory holds the team workspace key.
4.2 When the member invites another member to the team, BSafes client software requests for the member’s public key from server, then BSafes client software encrypt the team workspace key with the member’s public key. The encrypted team workspace key is sent to and store in server for the team member.
4.3 When the team member access the team workspace, the encrypted team workspace key is decrypted with the member’s private key in device memory.
4.4 With the team workspace key, the member could acess all notes in the workspace.
4.5 Also, with the team workspace key in device memory, the team member could invite other members to the team.
5 Key hierarchy
-G-> means key generation
-E-> means key encryption
5.1 member key -G-> member encryption key -E-> Personal note keys
5.2 member key -> member encryption key -> RSA private key -> Team workspace key -> Team note keys
6 Storage of member encryption key in member device
6.1 After a member sign in successfully with credential and 2FA(when enabled), the member enters his or her key.
6.2 BSafes client software generates the encryption key, calculates the hash value of the key and send the hash value to the server for verification.
6.3 If it succeeds, the server return a session key and session iv, then BSafes client software encrypts the encryption key using 256-bit AES-CBC with session key and iv, then store the encrypted encryption key in the app local storage.
6.4 When the member logs out, BSafes client software clear the encrypted encryption key in app local storage.