ixro
commented
10 years ago Hi, We understand PBKDF is for key derivation, not encryption. Subrosa uses PBKDF (HMAC-SHA1) to derive a key for AES-CBC-256, which is the encryption referring to.
Thanks for pointing this out, and the security contact email. We've overhauled the security page: http://subrosa.io/security
The Security page refers to PBKDF as 'encryption', while it absolutely isn't that, since the process is not reversible. PBKDF is a key derivation function - not only is it essential to correctly understand and publish this (there's really no margin for misunderstandings in security and cryptography), the used (hash) function should also be explicitly specified (eg. HMAC-SHA1 or whatever it is that Subrosa uses).