Summary
src/lib/crypto/private-key-manager.js uses HKDF with a static info string "QryptChat-KeyBackup-ChaCha20" for key backup encryption. While the PBKDF2 → HKDF derivation chain is cryptographically sound, the info string should include the export version to prevent key reuse across format changes.
Current Code
const chachaKey = await HKDF.derive(passwordKey, hkdfSalt, 'QryptChat-KeyBackup-ChaCha20', 32);
Issue
If EXPORT_VERSION changes from "3.0" to "4.0" with a different encryption scheme, the same password + salt would derive the same HKDF output. This could lead to:
- Key reuse across incompatible encryption formats
- Potential nonce reuse if the new version uses a different cipher
Recommendation
Bind the version to the HKDF info string:
const chachaKey = await HKDF.derive(
passwordKey, hkdfSalt,
`QryptChat-KeyBackup-v${EXPORT_VERSION}-ChaCha20`,
32
);This ensures each export version derives a unique key, even from the same password.
Severity
Low — requires a future version change to become exploitable, but is a cryptographic best practice.
Filed by: eltociear (AI security auditor via ugig.net)
Summary
src/lib/crypto/private-key-manager.jsuses HKDF with a static info string"QryptChat-KeyBackup-ChaCha20"for key backup encryption. While the PBKDF2 → HKDF derivation chain is cryptographically sound, the info string should include the export version to prevent key reuse across format changes.Current Code
Issue
If
EXPORT_VERSIONchanges from"3.0"to"4.0"with a different encryption scheme, the same password + salt would derive the same HKDF output. This could lead to:Recommendation
Bind the version to the HKDF info string:
This ensures each export version derives a unique key, even from the same password.
Severity
Low — requires a future version change to become exploitable, but is a cryptographic best practice.
Filed by: eltociear (AI security auditor via ugig.net)