Account Registration

Last modified Jun 19, 2022
Account Registration
 

Registering a Locker account needs 2 main steps:

  1. Sign up for a Locker account
  1. Create the Master Password

Sign up for a Locker account

In this step, you will be asked to enter your email, set an account password, and provide some other information. You can also create a Locker account using OAuth supported by Google, Facebook, GitHub, and AppleID.

Notion image

Create the Master Password

The Master Password is the key to encrypt and decrypt all data of a user in Locker.

The Master Password is different from the Account Password created in the first step. The Account Password is used for external authentication, not involved in data encryption, and can be re-issued. In contrast, the Master Password participates in all encryption or decryption processes; it should be emphasized that the Master Password cannot be re-issued if the user loses it.

Generate and Store Encryption Keys

Locker uses the PBKDF2 Key Derivation algorithm with the default iteration count of 100,000 to stretch the Master Password (the salt here is the user’s email address). The result is a 256-bit Master Key.

Then, the Master Key is also stretched to a 512-bit Stretched Master Key by using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) algorithm.

💡
It should be noted that the Master Key and the Stretched Master Key are never transferred to or stored on the Locker servers.

In addition, a 512-bit Symmetric Key and an Initialization Vector (IV) are generated by the Cryptographically Secure Pseudorandom Number Generator. The Symmetric Key is encrypted by the AES-256-CBC Encryption algorithm with the key being the Stretched Master Key and the IV being the aforementioned Initialization Vector. As a result, an Encrypted Symmetric Key is created; it is the unique value corresponding to each user and saved to the Locker servers.

A hash of the Master Password is also produced using PBKDF-SHA256 with the Master Key as the payload and the Master Password as the salt. Later, this value is sent to the Locker servers upon account creation and login to authenticate the user’s Locker account. After being transferred to the servers, it is further hashed by PBKDF2-SHA256 with a random salt and 216,000 iterations before being saved to the database.

At the same time, an asymmetric key pair (RSA Key Pair) is generated when a user registers an account. This key pair is used for data sharing in the Organizations or User Groups described later.

Encryption Key generation upon account registration
Encryption Key generation upon account registration