Our great sponsors
-
CheatSheetSeries
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
The main reason I'm giving this guy some credence to is that his analysis of KDF cost is the source used for the OWASP Cheatsheet on password hashing. In addition, several trusted infosec regulars are among his 613 followers on Mastodon.
In contrast, the local data.json files contain a cryptoSymmetricKey field, which is the protected symmetric key. Therefore, it is possible to decrypt the data.json files using third-party utilities such as BitwardenDecrypt developed by /u/GurpreetKang, simply by supplying the master password (there is no need to fetch the protected symmetric key from the cloud servers, because it is already packaged with the data file. When it comes to the new password-protected JSON exports, this file format contains a field named encKeyValidation_DO_NOT_EDIT, which appears serve a purpose similar to the cryptoSymmetricKey. However, I admit that I haven't delved into the code details sufficiently to say definitively whether the account encryption key is used to encrypt the password-protected export or not. On closer look, the structure of the of password-protected JSON is significantly different from the data.json, so it is possible I was wrong when I assumed that the encryption process in the password-protected JSON export followed the same scheme as the one used to encrypt the data.json files.