Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-06-09 Fir de Conversatie cryptoz
On Thursday, June 9, 2016 at 7:05:58 PM UTC-4, Ben Fritz wrote: > On Thu, Jun 9, 2016 at 2:56 PM, Charles E Campbell > wrote: > >  if libraries are used, the system may update the library (while one > > is on holiday), potentially rendering encrypted text unreadable. 

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-06-09 Fir de Conversatie Benjamin Fritz
On Thu, Jun 9, 2016 at 2:56 PM, Charles E Campbell < drc...@campbellfamily.biz> wrote: > if libraries are used, the system may update the library (while one > is on holiday), potentially rendering encrypted text unreadable. I know > that these things should be done in a backwards compatible

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-06-09 Fir de Conversatie Charles Campbell
Bram Moolenaar wrote: > My favorite example is when I have some text that I don't want my > neighbor to read. Any encryption that Vim provides works for that. > Also keep in mind that, no matter how strong your encryption is, there > is always a weak point. Rembember key loggers? There never ever

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-06-09 Fir de Conversatie Charles E Campbell
Benjamin Fritz wrote: > > On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar > wrote: > > > > > Speaking of defaults: I think Vim should default to the strongest > > > method available. I additionally think Vim should warn on saving with > > > a known

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-24 Fir de Conversatie Bram Moolenaar
Manuel Ortega wrote: > On Wed, Mar 23, 2016 at 10:28 PM, Ben Fritz wrote: > > > On Wednesday, March 23, 2016 at 6:21:21 PM UTC-5, Manuel Ortega wrote: > > > > That reminds me of something else. Why isn't 'modified' set when you > > change cryptmethod or the encryption

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-24 Fir de Conversatie Benjamin Fritz
On Thu, Mar 24, 2016 at 10:47 AM, Manuel Ortega wrote: > > The purpose of *Vim*'s cryptography, as Bram is trying to stress and nobody seems to ever internalize, is to keep data secret from neighbors and family members, i.e., people not sophisticated enough or motivated

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-24 Fir de Conversatie Benjamin Fritz
On Thu, Mar 24, 2016 at 9:54 AM, Benjamin Fritz wrote: > > The help entry blowfish and blowfish2 both say "medium strong encryption". An "implementation flaw" is mentioned for blowfish, but IIUC the flaw is severe enough to make it much, much weaker than blowfish2. Why

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-24 Fir de Conversatie Manuel Ortega
On Thu, Mar 24, 2016 at 10:54 AM, Benjamin Fritz wrote: > > > On Thu, Mar 24, 2016 at 6:08 AM, Bram Moolenaar > wrote: > > > > > > Ben Fritz wrote: > > > > > On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar > wrote: > > > > The

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-24 Fir de Conversatie Benjamin Fritz
On Thu, Mar 24, 2016 at 6:08 AM, Bram Moolenaar wrote: > > > Ben Fritz wrote: > > > On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar wrote: > > > The original blowfish encryption is not broken, it's just weaker than it > > > should be. It's still a lot

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-24 Fir de Conversatie Bram Moolenaar
Ben Fritz wrote: > On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar wrote: > > > > > Speaking of defaults: I think Vim should default to the strongest > > > method available. I additionally think Vim should warn on saving with > > > a known broken format such as the original

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-23 Fir de Conversatie Manuel Ortega
On Wed, Mar 23, 2016 at 10:28 PM, Ben Fritz wrote: > On Wednesday, March 23, 2016 at 6:21:21 PM UTC-5, Manuel Ortega wrote: > > > That reminds me of something else. Why isn't 'modified' set when you > change cryptmethod or the encryption password? > > > > > > Isn't it

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-23 Fir de Conversatie Ben Fritz
On Wednesday, March 23, 2016 at 6:21:21 PM UTC-5, Manuel Ortega wrote: > > That reminds me of something else. Why isn't 'modified' set when you change > >cryptmethod or the encryption password? > > > > > > Isn't it because the *buffer* hasn't changed?  IIUC, in the latter case the > *file*

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-23 Fir de Conversatie Manuel Ortega
> That reminds me of something else. Why isn't 'modified' set when you change cryptmethod or the encryption password? > Isn't it because the *buffer* hasn't changed? IIUC, in the latter case the *file* changes, not the buffer. In the former case neither has changed, so for sure 'modified'

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-23 Fir de Conversatie Benjamin Fritz
On Wed, Mar 23, 2016 at 5:51 PM, Benjamin Fritz wrote: > > I thought "blowfish" was just around to let people read their old data (and hopefully convert to blowfish2). That reminds me of something else. Why isn't 'modified' set when you change cryptmethod or the

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-23 Fir de Conversatie Benjamin Fritz
On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar wrote: > > > Speaking of defaults: I think Vim should default to the strongest > > method available. I additionally think Vim should warn on saving with > > a known broken format such as the original blowfish implementation, or >

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-23 Fir de Conversatie Bram Moolenaar
Ben Fritz wrote: > On Saturday, March 19, 2016 at 1:43:30 PM UTC-5, Demetri Obenour wrote: > > Argon2 is implemented in libsodium and is the winner of the Password > > Hashing Competition. It is designed as a KDF. > > > > > > However, note that the rest of Vim's cryptmethod is also poorly >

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-21 Fir de Conversatie Ben Fritz
On Monday, March 21, 2016 at 11:04:15 AM UTC-5, Scott wrote: > (Slight nit: it's PBKDF2. The acronym stands for "Password-Based Key > Derivation Function #2".) > > Thanks, I knew that, I just was typing faster than I was thinking apparently. That's one of those acronyms I really need to

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-21 Fir de Conversatie Ben Fritz
On Monday, March 21, 2016 at 11:00:31 AM UTC-5, Ben Fritz wrote: > On Saturday, March 19, 2016 at 1:43:30 PM UTC-5, Demetri Obenour wrote: > > Argon2 is implemented in libsodium and is the winner of the Password > > Hashing Competition. It is designed as a KDF. > > > > > > However, note that

Re: [vim] Vim cryptmethod uses SHA-256 for password-based key derivation (#639)

2016-03-21 Fir de Conversatie Ben Fritz
On Saturday, March 19, 2016 at 1:43:30 PM UTC-5, Demetri Obenour wrote: > Argon2 is implemented in libsodium and is the winner of the Password Hashing > Competition. It is designed as a KDF. > > > However, note that the rest of Vim's cryptmethod is also poorly implemented. > My suggestion is