Topic
Examples of Use
There are many note-taking applications, but this is useful if you want to encrypt some of your text.
For example, it can be used for password management.
For an example of password management with Notion, please see the following blog.
Password Management with Notion
How to manage passwords using Notion. Passwords are stored in encrypted form.
View DetailsStructure
Encryption and decryption are performed by the user's browser, and no data is sent to the server.
Encrypted data is included in the parameters of the decryption URL.
This service uses "PBKDF2" to generate an AES key from the passphrase entered by the user.
A random salt is passed through the HMAC/SHA-256 hash function 100,000 times. (The number of iterations can be
specified.)
It is encrypted by AES using the AES key and initial vector.
(Salt, initial vector, cipher data, etc.)
This service is the same in that it can be decrypted by entering a passphrase.
| TXT-Crypter | Evernote | |
|---|---|---|
| Key generation | PBKDF2 | PBKDF2 |
| Number of iterations | 100,000 times or more | 50,000 times |
| Encryption | AES - 256bit | AES - 128bit |
Security
Basically, keep the decryption URL in a place that only you can access.
If the URL is not known to others, it cannot be decrypted illegally.
Even if the decryption URL is known to others, it cannot be decrypted without knowing the passphrase.
Attackers conduct brute force and dictionary attacks.
Note that a simple passphrase can be illegally decrypted.
This service discloses a manual decryption method. (Of course, a passphrase is required.)
This is to avoid the possibility that this service may become unavailable and decryption may not be possible.
On the other hand, you may be concerned about unauthorized decryption.
Even if the passphrase is not easy to guess, consider whether it can be breached by brute force.
Take, for example, a 4-digit dial lock.
Since there are only 10,000 patterns from 0000 to 9999, even if you forget your PIN, you will be able to open it someday by trying to dial the numbers in sequence.
If you input 8-digit passphrase consisting of letters (upper and lower case) + numbers + 32 symbols, there are
6,095,689,385,410,816 patterns (94 characters to the 8th power).
On my PC (Core i5 11th generation), with a default iteration count of 100,000, each encryption took roughly
800ms.
Assuming 2 attempts/sec for simplicity, only 172,800 attempts can be made per day.
Even if one were to attempt a total hit at this rate, it would take about 100 million years.
Since the above is the case even with 8 digits, further increase in the number of digits will result in a
tremendous pattern.
Furthermore, increasing the number of iterations takes more time per decoding and more time per total.
In addition to the brute force of the passphrase, the attacker must also brute force the number of
iterations.
At this point, I think we can be quite assured.
After reading this far, the possibility of unauthorized decryption is as close to zero as possible, but what if
it is deciphered?
The text to be encrypted should not be a set of site name, ID, and password.
For example, only "passwords" should be used in a single encryption.
Even if the password is illegally decrypted and "only" the password is known, the attacker will not know which
site it is for or what the ID is.
Evernote has also adopted this and, as mentioned earlier, it will not be a problem if used correctly.
However, I am interested in Argon2. I may consider it in the future.
Manual decryption
In the unlikely event that this service becomes unavailable, you can still manually decrypt the file from the
decryption URL.
Source code for decryption is available on GitHub.
Download decrypt.html and open it in your browser.
Enter the decryption URL in the URL, passphrase, number of iterations, and click the "decryption" button.
Once the correct information is entered, the decrypted text will be displayed.
This will not prevent you from decrypting.