Replies: 2 comments 1 reply
-
|
Hi @ruralTom, I could be wrong totally as I am not an expert, but at a quick glance the way an encryption key is generated in photok is a bit weird. If you look at line 164 in EncryptionManager.kt, the key generation is basically hash of a password instead of actually using a key generation algorithm, that too a SHA-256 which isn't bad, it's just that there are better options like SHA-512 available (not that big of a deal though). I may have missed something, but a password should be used to encrypt a key that encrypts the actual data, this way when the user wants to change the password they don't have to re-encrypt everything. Also, key derivation algorithms should be used instead of hashing the password. I am always concerned when someone is adding cryptography in the app (which is good and encouraged) as there are plenty of ways to get it wrong if not thoroughly tested. Besides that, if photok is storing everything in app storage like SafeSpace does, then encryption is redundant and consumes battery if it has a large number of files. But either way it's good to have some competition and options :) |
Beta Was this translation helpful? Give feedback.
-
|
I love options. I think a Photok decrypts everything when you use your password to open the app. It has no internal organization system, so every file is right there mixed with the others.
It does what it's supposed to but I'm always looking for options. Each new Dev brings a new vibe.
Mar 25, 2024 11:33:51 PM aashishksahu ***@***.***>:
…
Hi @ruralTom[https://github.com/ruralTom], I could be wrong totally as I am not an expert, but at a quick glance the way an encryption key is generated in photok is a bit weird. If you look at line 164 in EncryptionManager.kt[https://github.com/leonlatsch/Photok/blob/develop/app/src/main/java/dev/leonlatsch/photok/security/EncryptionManager.kt], the key generation is basically hash of a password instead of actually using a key generation algorithm, that too a SHA-256 which isn't bad, it's just that there are better options like SHA-512 available (not that big of a deal though). I may have missed something, but a password should be used to encrypt a key that encrypts the actual data, this way when the user wants to change the password they don't have to re-encrypt everything. Also, key derivation algorithms should be used instead of hashing the password.
I am always concerned when someone is adding cryptography in the app (which is good and encouraged) as there are plenty of ways to get it wrong if not thoroughly tested. Besides that, if photok is storing everything in app storage like SafeSpace does, then encryption is redundant and consumes battery if it has a large number of files. But either way it's good to have some competition and options :)
—
Reply to this email directly, view it on GitHub[#49 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AG4SSAASDDPJCXQSDZNGZETY2EJE7AVCNFSM6AAAAABFIGEJZ2VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DSMJRGEYDS].
You are receiving this because you were mentioned.
[Tracking image][https://github.com/notifications/beacon/AG4SSAAHXIUUTPEZUVH2ZE3Y2EJE7A5CNFSM6AAAAABFIGEJZ2WGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAQ74QK.gif]
|
Beta Was this translation helpful? Give feedback.
-
|
Yup, good to have options :) |
Beta Was this translation helpful? Give feedback.
-
How do they compare? I use Photok but am always on the look out for a better tool.
Hard to make the change?
Beta Was this translation helpful? Give feedback.
All reactions