Since Cyph v2 is now in beta, you may be curious about how it works. A series of blog posts are planned for the near future, and will be linked here when they’re complete.
In the meantime, here are some quick notes:
- To log in, you will need your username (e.g.
ryan) and your master key (e.g.
synthesis sleek brandon doubling bagpipe immortal backroom anointer mccarthy).
- A form of augmented PAKE is used to authenticate the user with the Cyph cloud infrastructure without revealing anything about the master key to our server.
- As mentioned, a symmetric encryption key is derived from the master key (via Argon2id hashing), which is then used to decrypt an encrypted payload from the server that contains a second symmetric key.
- After that point, it’s pretty much exactly the same in principle as full disk encryption, with that second key being used to encrypt and decrypt all user data; the only difference is that instead of a local disk the storage medium is a remote service.
- As in Cyph v1 (ephemeral chat), messages are all secured via the quantum-computing-resistant Castle encryption protocol — with the primary difference being that session state is persisted to your Cyph v2 account’s encrypted cloud storage.
1: To be a little more precise: the password itself has 128 bits of entropy. The actual output of the key derivation process is 32 bytes (256 bits) long, and password hashing adds additional hardness to a hypothetical brute force attack.