*** Markus Teich [2018-03-10 17:09]: >I don't know crypto_argon2i. I'd use the standardized HKDF2 scheme to derive >the key.
HKDF algorithm is not aimed to be used with passwords. It is ok to be used with Diffie-Hellman outputs for example. Password-derived keys are required (ideally) to use CPU and memory hard one. Argon2, beeing the PHC winner is a good choice (however I prefer Balloon for its simplicity and (seems to be) higher security margin (https://crypto.stanford.edu/balloon/), but it is not standardized). >I'm not sure why you would need a mac if you don't use a malleable encryption >scheme. Encryption with authentication is *always* right. Modern encryption techniques always use authenticated encryption schemes (deprecating unauthenticated modes at all). MAC is not only about malleability and integrity, but about authenticity. No data should be decrypted (or any kind processed) before it is authenticated. It is always right. >Should be fine, but the salt should not be secret (you need to sync it >between devices where you want to use this system after all). Agreed, there is no need salt to be any kind of secret. It is safe to store it clear. -- Sergey Matveev (http://www.stargrave.org/) OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF
Description: PGP signature