From 3dccca1f27db2dc38ff3dc1a3812eec1063f4280 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Tue, 29 Aug 2017 00:22:11 +0200 Subject: [PATCH] doc/design: fix keys.data MAC format description "not including the last 32 byte" was wrong, should have been 16 bytes. But the whole description is redundant anyway. --- doc/design.rst | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/doc/design.rst b/doc/design.rst index 16fa8e7ae..6438e8fcb 100644 --- a/doc/design.rst +++ b/doc/design.rst @@ -315,13 +315,12 @@ divided into a 16 byte AES key ``k`` followed by 16 bytes of secret key ``r``. The key ``r`` is then masked for use with Poly1305 (see the paper for details). -Those message authentication keys (``k`` and ``r``) are used to compute -a MAC over the bytes contained in the JSON field ``data`` (after -removing the Base64 encoding and not including the last 32 byte). If the +Those keys are used to authenticate and decrypt the bytes contained in +the JSON field ``data`` with AES-256 and Poly1305-AES as if they were +any other blob (after removing the Base64 encoding). If the password is incorrect or the key file has been tampered with, the computed MAC will not match the last 16 bytes of the data, and restic -exits with an error. Otherwise, the data is decrypted with the -encryption key derived from ``scrypt``. This yields a JSON document +exits with an error. Otherwise, the data yields a JSON document which contains the master encryption and message authentication keys for this repository (encoded in Base64). The command ``restic cat masterkey`` can be used as follows to decrypt and