Standard Notes Completes Penetration Test and Cryptography Audit

January 5, 2021

We are pleased to announce the latest release of our encryption suite. This release uses the latest state-of-the-art, cryptographer-recommended algorithms for modern day encryption and key generation, designed to withstand the latest advances in cryptographic attacks and brute-forcing.

For data encryption, our latest cryptography suite uses the XChaCha20-Poly1305 algorithm. This algorithm is presently the preferred algorithm in many modern-day encryption contexts, and ranks above any of the AES-suite algorithms, like AES-GCM and AES-CBC.

For password based key derivation, our new release uses Argon2, a memory-hard algorithm. This is in comparison to PBKDF2, the previously and commonly used algorithm that has proven to be vulnerable to recent technological advances in specialized computer hardware, as demonstrated by cryptocurrency mining equipment, that can compute hashes very quickly. Because Argon2 is memory hard, each single guess at a hash requires around 70MB of memory. This makes it very, very expensive to mount a large scale attack and try to guess trillions of hashes. Guessing trillions of hashes using PBKDF2, however, is not nearly as expensive.

The implementation of the latest advances in encryption technology make Standard Notes more robust, powerful, and secure than ever. These new releases are backed by two new security audits conducted by two of the world’s leading cryptography research and testing firms: Cure53 and Trail of Bits. We engaged with Cure53 to conduct a penetration test of our entire ecosystem, including our cross-platform applications and server. Cure53 conducted a rigorous and thorough test, lasting multiple weeks, that helped ensure confidence in our ecosystem by finding any vulnerabilities in our environment. We also engaged with Trail of Bits to audit our new encryption release. This entailed auditing our specification, algorithms, and code implementation of the shared library we use in our applications to sync data and perform encryption and key generation.

We are very pleased with the results of both audits, and their impact on making Standard Notes the most secure note-taking application available. You can visit our Audits page to learn more about these, and other, audits.

Thanks for reading

Go to the top