[doc] Update Application Security spec with details of renovated sess…

…ion and proof of work hashing
globaleaks · Jan 19, 2025 · ca515b8 · ca515b8
1 parent 2c13c3b
commit ca515b8
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/documentation/security/ApplicationSecurity.rst b/documentation/security/ApplicationSecurity.rst
@@ -108,7 +108,7 @@ Session encryption
 ------------------
 To minimize the exposure of users' encryption keys, the keys are stored in an encrypted format and decrypted only upon each client request.
 
-The implementation uses Libsodium's SecretBox, where the client's session key is used as the secret. Only the client maintains a copy of the session key, while the server retains only a SHA-256 hash.
+The implementation uses Libsodium's SecretBox, where the client's session key is used as the secret. Only the client maintains a copy of the session key, while the server retains only a SHA-512 hash.
 
 Cookies and xsrf prevention
 ---------------------------
@@ -358,6 +358,8 @@ Proof of work on users' sessions
 --------------------------------
 The system implements an automatic `Proof of Work <https://en.wikipedia.org/wiki/Proof_of_work>`__ based on the hashcash algorithm for every user session, requiring clients to request a token and continuously solve a computational problem to acquire and renew the session.
 
+Specifically the algorithm used to perform the hash is Argon2id with requirement of 1 iteration and 1MB of RAM.
+
 Rate limit on users' sessions
 ------------------------------
 The system implements rate limiting on user sessions, preventing more than 5 requests per second and applying increasing delays on requests that exceed this threshold.