I’ve published draft specs for the next two versions of the RNCryptor format. I split it into two versions because the v3.1 changes are backward compatible while the v4.0 changes are not. Updating the ObjC implementation to v4.0 may take a little while, because I plan to also update the API at the same time. I can probably get a new version that handles v3.1 pretty quickly.

Comments on these drafts are highly encouraged.

v3.1 allows you to configure PBKDF2 rounds in orders of magnitude from 10¹ (10) through 10⁷ (1,000,000). This should address the many ad hoc implementations that people have used to support JavaScript. It will also allow me to finish rncryptor-js, which could not be implemented in a compatible way without support in the format for lower iteration counts. v3.1 is completely backward compatible with v3.0.

v4.0 is a more radical change to the format. Rather than randomly generating the IV, encryption key, and HMAC key, it derives these from a single master key and a random salt using a KDF. For key-based encryption, this is HKDF. For password-based encryption, this is PBKDF2 and HKDF. It also adds a validator that can be used to quickly verify that the key/password is correct before processing the entire file (this also differentiates between incorrect password and most corruption errors; previously the caller could not differentiate these error conditions).