Cross-platform AES data format and implementations

Draft v3.1 and v4.0 Specs for Comment

I’ve published draft specs for the next two versions of the RNCryptor format. I split it into two versions because the v3.1 changes are backward compatible while the v4.0 changes are not. Updating the ObjC implementation to v4.0 may take a little while, because I plan to also update the API at the same time. I can probably get a new version that handles v3.1 pretty quickly.

Comments on these drafts are highly encouraged.

v3.1 allows you to configure PBKDF2 rounds in orders of magnitude from 101 (10) through 107 (1,000,000). This should address the many ad hoc implementations that people have used to support JavaScript. It will also allow me to finish rncryptor-js, which could not be implemented in a compatible way without support in the format for lower iteration counts. v3.1 is completely backward compatible with v3.0.

v4.0 is a more radical change to the format. Rather than randomly generating the IV, encryption key, and HMAC key, it derives these from a single master key and a random salt using a KDF. For key-based encryption, this is HKDF. For password-based encryption, this is PBKDF2 and HKDF. It also adds a validator that can be used to quickly verify that the key/password is correct before processing the entire file (this also differentiates between incorrect password and most corruption errors; previously the caller could not differentiate these error conditions).