Am 2018-03-11 01:48, schrieb Sergey Matveev:
> *** Markus Teich [2018-03-10 17:09]:
>> I don't know crypto_argon2i. I'd use the standardized HKDF2 scheme to
>> derive
>> the key.
>
> HKDF algorithm is not aimed to be used with passwords. It is ok to be
> used with Diffie-Hellman outputs for example. Password-derived keys are
> required (ideally) to use CPU and memory hard one. Argon2, beeing the
> PHC winner is a good choice (however I prefer Balloon for its
> simplicity
> and (seems to be) higher security margin
> (https://crypto.stanford.edu/balloon/),
> but it is not standardized).
Ah, thanks for the reminder! I always forget about this caveat of HKDF2
with
passwords… -.-
>> I'm not sure why you would need a mac if you don't use a malleable
>> encryption
>> scheme.
>
> Encryption with authentication is *always* right. Modern encryption
> techniques always use authenticated encryption schemes (deprecating
> unauthenticated modes at all). MAC is not only about malleability and
> integrity, but about authenticity. No data should be decrypted (or any
> kind processed) before it is authenticated. It is always right.
You are correct that it doesn't hurt to add a MAC. I was thinking it
wouldn't
make sense to authenticate to myself. Could you point me to an attack
scenario
where not having a MAC in this scheme is bad?
--Markus
Received on Sat Mar 10 2018 - 19:29:10 CET