*** Markus Teich [2018-03-10 17:09]:
>I don't know crypto_argon2i. I'd use the standardized HKDF2 scheme to derive
>the key.
HKDF algorithm is not aimed to be used with passwords. It is ok to be
used with Diffie-Hellman outputs for example. Password-derived keys are
required (ideally) to use CPU and memory hard one. Argon2, beeing the
PHC winner is a good choice (however I prefer Balloon for its simplicity
and (seems to be) higher security margin (
https://crypto.stanford.edu/balloon/),
but it is not standardized).
>I'm not sure why you would need a mac if you don't use a malleable encryption
>scheme.
Encryption with authentication is *always* right. Modern encryption
techniques always use authenticated encryption schemes (deprecating
unauthenticated modes at all). MAC is not only about malleability and
integrity, but about authenticity. No data should be decrypted (or any
kind processed) before it is authenticated. It is always right.
>Should be fine, but the salt should not be secret (you need to sync it
>between devices where you want to use this system after all).
Agreed, there is no need salt to be any kind of secret. It is safe to
store it clear.
--
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF
Received on Sat Mar 10 2018 - 15:48:39 CET