Am 2018-03-11 01:48, schrieb Sergey Matveev:
*** Markus Teich [2018-03-10 17:09]:
I don't know crypto_argon2i. I'd use the standardized HKDF2 scheme to
HKDF algorithm is not aimed to be used with passwords. It is ok to be
used with Diffie-Hellman outputs for example. Password-derived keys are
required (ideally) to use CPU and memory hard one. Argon2, beeing the
PHC winner is a good choice (however I prefer Balloon for its
and (seems to be) higher security margin
but it is not standardized).
Ah, thanks for the reminder! I always forget about this caveat of HKDF2
I'm not sure why you would need a mac if you don't use a malleable
Encryption with authentication is *always* right. Modern encryption
techniques always use authenticated encryption schemes (deprecating
unauthenticated modes at all). MAC is not only about malleability and
integrity, but about authenticity. No data should be decrypted (or any
kind processed) before it is authenticated. It is always right.
You are correct that it doesn't hurt to add a MAC. I was thinking it
make sense to authenticate to myself. Could you point me to an attack
where not having a MAC in this scheme is bad?