File encryption
| Property | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key size | 256 bits |
| IV size | 96 bits (randomly generated per file) |
| Tag size | 128 bits |
| Key derivation | HKDF-SHA256 from room KEK + file ID |
Key wrapping
| Property | Value |
|---|---|
| Algorithm | AES-256-KW (RFC 3394) |
| Key size | 256 bits |
| Applied to | DEK → KEK wrap, KEK → master key wrap |
| Property | Value |
|---|---|
| Algorithm | RSA-OAEP-256 |
| Key size | 4096 bits |
| Hash | SHA-256 |
Audit log signatures
| Property | Value |
|---|---|
| Algorithm | Ed25519 |
| Key storage | Quelden signing HSM |
| Signature scope | Event payload + chain hash |
| Chain hash | SHA-256 of previous entry |
TLS
| Property | Value |
|---|---|
| Minimum version | TLS 1.2 |
| Preferred version | TLS 1.3 |
| Cipher suites (TLS 1.3) | TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 |
| Cipher suites (TLS 1.2) | ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384 |
| Certificate | RSA-4096 or ECDSA P-384 |
Password hashing
| Property | Value |
|---|---|
| Algorithm | Argon2id |
| Memory | 64 MB |
| Iterations | 3 |
| Parallelism | 4 |
| Output | 32 bytes |
| Salt | 16 bytes, random per password |
Random number generation
All random values (IVs, DEKs, salts, tokens) are generated using the operating system’s CSPRNG (getrandom on Linux, BCryptGenRandom on Windows).
What we do not use
- MD5 or SHA-1 for any security purpose
- ECB mode for any block cipher
- RSA-PKCS1v1.5 for encryption (only RSA-OAEP)
- Static IVs or nonces
- Client-side session secrets stored in localStorage