From: Bruce Schneier <schneier@co...> - 2005-11-30 19:54:05
At 04:21 PM 11/29/2005, you wrote:
>A V3 format PasswordSafe will be structured as follows:
>SALT is a 256 bit random value, generated at file creation time.
>P' is the "stretched key" of the user's passphrase and the SALT, as defined
>by the hash-function-based key stretching algorithm in
>http://www.schneier.com/paper-low-entropy.pdf (Section 4.1), with SHA-256
>as the hash function, and 2048 iterations (i.e., t = 11).
>H(P') is SHA-256(P'), and is used to verify that the user has the correct
>B1 and B2 are two 128-bit blocks encrypted with Twofish using P' as the
>key, in ECB mode. These blocks contain the 256 bit random key K that is used
>to encrypt the actual records. (This has the property that there is no known
>information on the plaintext encrypted with the passphrase-derived key that
>allows an attacker to mount an attack that bypasses the key stretching
>IV is the 128-bit random Initial Value for CBC mode.
>All the following records are encrypted using Twofish in CBC mode, with K
>as the encryption key.
>HDR: The database header, containing the version number, non-default user
>preferences, and perhaps other housekeeping information.
>R1..Rn: The actual password entries, in the format described in the V2
>document, with possible additional fields.
>END OF DRAFT
I like it.
Are there any changes that should be made to the database format, as
long as compatibility is being broken?