Krptn News

Krptn had the oportunity to present itself at Milestone Institute, Budapest, Hungary. We now publish the presentation which we have delivered. We thank Milestone again for this opportunity! You can access the presentation on this link.

For a live demo, there is a working version on GitHub. Please note that this is a tutorial, not a full documentation. To use this in a production environment, please read our FIDO docs also! What is WebAuthn? According to the FIDO Alliance, passwords are the root cause of 80% of data breaches! It is so common, yet so many fall for it… It’s simply time to fix this mess. So, the world is deploying a solution: WebAuthn.

Algorithms used in Krptn To derive the encryption key from the credentials (or from anything actually) Argon2id from the LibSodium Library is used with 0.2GiB memory limit and 3 operations count (4 for password reset codes). These values were based of RFC-9106 and LibSodium’s documentation. For symmetric encryption, we use the XChacha20-Poly1305 from LibSodium Library. For asymertric encryption, we use LibSodium’s crypto_box_easy API. To know which algorithms are used in that API, please see the list in LibSodium’s documentation.

We would like to thank Alok Menghrajani for a pro-bono review he did for Krptn! His review gave us many ideas to further improve, secure, and develop the project! Thank you Alok!

Krptn uses a security model. However, it is important to note that Krptn is very inflexible because of the strict model. This is especially visible with password resets. If a user forgets their passwords, they need to use a recovery code to unlock their account. However, if they also loose a recovery code, they will be permanently locked out.

Transparency We believe that being transparent about our code, and other implementation details are curcial to gain trust. Therefore, we have our security model easily accessible and our project is free and open source (FLOSS). Any doubts about our code, check it on GitHub for the source of truth! Note: Krptn, without prior interactions initiated by you, will never reach out to you for personal information. This information could help you in identifying scam.