Am 2018-03-11 01:48, schrieb Sergey Matveev:
*** Markus Teich [2018-03-10 17:09]:
I don't know crypto_argon2i. I'd use the standardized HKDF2 scheme to derive
the key.

HKDF algorithm is not aimed to be used with passwords. It is ok to be
used with Diffie-Hellman outputs for example. Password-derived keys are
required (ideally) to use CPU and memory hard one. Argon2, beeing the
PHC winner is a good choice (however I prefer Balloon for its simplicity and (seems to be) higher security margin (,
but it is not standardized).

Ah, thanks for the reminder! I always forget about this caveat of HKDF2 with
passwords… -.-

I'm not sure why you would need a mac if you don't use a malleable encryption

Encryption with authentication is *always* right. Modern encryption
techniques always use authenticated encryption schemes (deprecating
unauthenticated modes at all). MAC is not only about malleability and
integrity, but about authenticity. No data should be decrypted (or any
kind processed) before it is authenticated. It is always right.

You are correct that it doesn't hurt to add a MAC. I was thinking it wouldn't make sense to authenticate to myself. Could you point me to an attack scenario
where not having a MAC in this scheme is bad?


Reply via email to