*** Michael Forney [2018-03-08 22:10]:
>I'm no expert either (so follow this at your own risk), but I also did
>some investigation, and I think either of the following schemes would
>work:
>(1)
This scheme seems ok and some kind of classical one. Simple and working.
>It's not clear to me if it's okay to use the plain crypto_argon2i with
>just a fixed secret salt. A related scheme might be to use
>crypto_argon2i_general with a salt generated for each encryption and a
>single saved key. Then, the salts could be stored as plain text the
>output file (and probably authenticated with crypto_lock_aead).
>Perhaps one benefit is if someone somehow figured out the encryption
>key for one password, they still wouldn't be able to decrypt the
>others.
According to the manual, _general supports keyed hashing of additional
data. In your context there is no need to authenticate something
additional. So _general is useless here. You can generate salt for each
encryption -- nothing wrong with that, but you are assuming that
adversary could compromise your password. I assume that single
passphrase is used to encrypt all the passwords, so different salts
won't help your here. In my opinion, different separate salts bring
nothing to security.
>(2)
Personally I do not like this setup. Anyway, all security depends on the
passphrase human need to input. Never use asymmetric cryptography when
you have to. Your password-encryption task obviously does not need any
kind of asymmetry.
>For (2) I'm not sure if the nonce is necessary or not, since passwords
>are encrypted with randomly generated single-use keys (so maybe a
>fixed value is sufficient; it is still only used once per key).
When keys are guaranteed to be unique and used only once (for one
encryption/decruption) -- it is safe to use zero nonce.
--
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF
Received on Sat Mar 10 2018 - 15:47:25 CET