Skip to main content

Account Registration

At Locker, the account creation process consists of 2 main stages:
  1. Basic Account Creation
  2. Create the Master Password.

Basic Account Creation

In this step, users will be asked to enter basic information including: Email, account password, and some other personal information. Users can also create an account through the OAuth methods we provide, including Google, Facebook, GitHub, or AppleID. Locker account registration interface

Create the Master Password

Master Password is the key to encrypting and decrypting all user data in Locker. It is important to distinguish between the Master Password and the Account Password created in the previous step. While the Account Password is used for outer authentication, does not participate in the data encryption process, and can be reset, the Master Password is used in all encryption and decryption processes; importantly, the Master Password cannot be recovered if the user forgets it.

Creating and Storing Encryption Keys

Locker uses the PBKDF2 Key Derivation Algorithm with a default iteration count of 100,000 to expand the Master Password with the user’s Email address as the salt. The resulting value is a 256-bit Master Key. The Master Key is then further expanded to 512 bits into a Stretched Master Key using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) algorithm.
The Master Key and Stretched Master Key are never transmitted to or stored on Locker servers.
Additionally, a 512-bit Symmetric Key and an Initialization Vector (IV) are generated using the CSPRNG Random Number Generation Algorithm. The Symmetric Key is encrypted using the AES-256-CBC Encryption Algorithm with the Stretched Master Key as the key and the Initialization Vector as the IV. The result is the Encrypted Symmetric Key, which is a value corresponding to each user and is stored on Locker servers. A hash of the Master Password is also created using PBKDF-SHA256 with the Master Key as the payload and the Master Password as the salt. This value is then sent to the Locker server during account creation and login to authenticate the user account. After being transmitted to the server, it is further hashed using PBKDF2-SHA256 with a random salt and 216,000 iterations before being saved to the database. An asymmetric key pair (RSA key pair) is also created when the user registers their account. This RSA key pair is used for data sharing within Organizations, which is described in a later section. Account creation flow