Re: [dev] securiy guidance

From: Markus Teich <>
Date: Sun, 11 Mar 2018 05:29:10 +1100

Am 2018-03-11 01:48, schrieb Sergey Matveev:
> *** Markus Teich [2018-03-10 17:09]:
>> I don't know crypto_argon2i. I'd use the standardized HKDF2 scheme to
>> derive
>> the key.
> HKDF algorithm is not aimed to be used with passwords. It is ok to be
> used with Diffie-Hellman outputs for example. Password-derived keys are
> required (ideally) to use CPU and memory hard one. Argon2, beeing the
> PHC winner is a good choice (however I prefer Balloon for its
> simplicity
> and (seems to be) higher security margin
> (,
> but it is not standardized).

Ah, thanks for the reminder! I always forget about this caveat of HKDF2
passwords… -.-

>> I'm not sure why you would need a mac if you don't use a malleable
>> encryption
>> scheme.
> Encryption with authentication is *always* right. Modern encryption
> techniques always use authenticated encryption schemes (deprecating
> unauthenticated modes at all). MAC is not only about malleability and
> integrity, but about authenticity. No data should be decrypted (or any
> kind processed) before it is authenticated. It is always right.

You are correct that it doesn't hurt to add a MAC. I was thinking it
make sense to authenticate to myself. Could you point me to an attack
where not having a MAC in this scheme is bad?

Received on Sat Mar 10 2018 - 19:29:10 CET

This archive was generated by hypermail 2.3.0 : Sat Mar 10 2018 - 19:36:22 CET