Skip to content
0k-sync

Security Model

4. Security Model

Section titled “4. Security Model”

4.1 Key Hierarchy

Section titled “4.1 Key Hierarchy”

Key derivation hierarchy: Passphrase → Argon2id → Group Secret → HKDF → Sync Key, Auth Key, Content Key

Content Key Derivation (for large file transfer via iroh-blobs):

Large content (photos, documents, audio) uses a separate key derived per-blob to allow independent lifecycle management:

content_key = HKDF-SHA256(
    ikm = GroupSecret,
    salt = "0k-sync-content-v1",
    info = blob_id || "content-encryption"
) → 32 bytes for XChaCha20-Poly1305

This allows:

  • Same key for all devices in the group (they share GroupSecret)
  • Independent rotation from sync blob encryption key
  • Per-blob key isolation (compromise of one content key doesn’t affect others)

Device-Adaptive Argon2id Parameters:

OWASP minimum (19 MiB, 2 iterations) performs well on modern devices but hits 800ms+ on low-end mobile. Use device-adaptive parameters:

Device ClassDetection SignalMemoryIterationsTarget Time
Low-end / mid-range mobileRAM < 4GB19 MiB2200-400ms
High-end mobileRAM 4-8GB46 MiB1200-400ms
DesktopRAM >= 8GB64 MiB3200-500ms

CL-001 (2026-02-05): Lowest tier raised from 12 MiB / 3 iter to OWASP minimum (19 MiB / 2 iter). No device class falls below OWASP floor.

iOS Constraint: AutoFill extension processes have ~55 MiB usable memory. Configurations above 46 MiB fail intermittently.

4.2 Noise Protocol Configuration

Section titled “4.2 Noise Protocol Configuration”

Status: The Noise Protocol layer is implemented using the clatter crate. Transport security uses hybrid Noise XX (ML-KEM-768 + X25519) over iroh QUIC. Audit finding F-002 has been resolved.

Handshake Pattern: XX (mutual authentication)

XX:
  → e
  ← e, ee, s, es
  → s, se

Why XX:

  • Both parties prove identity
  • Neither needs pre-shared keys
  • Forward secrecy from message 2

Cryptographic Primitives (Hybrid Post-Quantum):

FunctionAlgorithmCrate
Key ExchangeX25519 + ML-KEM-768clatter v2.1+
CipherChaChaPolyclatter v2.1+
HashBLAKE2sclatter v2.1+

Hybrid Handshake: Uses noise_hybrid_XX pattern with ML-KEM-768 (NIST Level 3) for quantum resistance. The clatter crate provides the verified hybrid Noise protocol implementation.

4.3 Device Identity

Section titled “4.3 Device Identity”
  • Each device generates Curve25519 keypair on first launch
  • Public key = Device ID (32 bytes, base64 for display)
  • Private key stored in OS keychain (via platform-specific secure storage)

4.4 Threat Model

Section titled “4.4 Threat Model”
ThreatMitigation
Relay reads dataE2E encryption; relay sees only ciphertext
MITM attackiroh TLS + Noise XX mutual auth
Replay attackNonces + monotonic cursors
Device compromisePer-device keys; rotate Group Key to revoke
Relay compromiseNo plaintext stored; temporary buffer only
Traffic analysisOptional PADME padding (future)

4.5 Trust Assumptions

Section titled “4.5 Trust Assumptions”
  1. User’s devices are not compromised
  2. iroh QUIC TLS is sound, augmented by hybrid Noise Protocol
  3. Argon2id parameters are sufficient
  4. Relay is honest-but-curious