diff options
author | Joey Hess <joeyh@joeyh.name> | 2017-01-25 15:32:31 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2017-01-25 15:32:31 -0400 |
commit | d471029790667c3630078f7054fa86dc41ffadc4 (patch) | |
tree | 447fcd2d0a94df47f4303cf2ec637fda4d4c75f1 /TODO | |
parent | 6da465ce37d737951fe61e32327002e0bf1a1aa1 (diff) | |
download | keysafe-d471029790667c3630078f7054fa86dc41ffadc4.tar.gz |
add better object-id derivation idea
Diffstat (limited to 'TODO')
-rw-r--r-- | TODO | 22 |
1 files changed, 17 insertions, 5 deletions
@@ -39,11 +39,6 @@ Later: * Add some random padding to http requests and responses, to make it harder for traffic analysis to tell that given TOR traffic is keysafe traffic. -* Argon2d is more resistent to GPU/ASIC attack optimisation. - Switching from Argon2i would require new tunables, and delay restores - (of keys backed up using the old tunables, and when the user provides the - wrong name) by ~10 minutes, so deferred for now - until there's some other reason to change the tunables. Wishlist: @@ -86,3 +81,20 @@ Wishlist: restore from working. (It also makes a malicious data attack (as described in https://keysafe.branchable.com/details/) possible by attackers who do not control the servers. + +Encryption tunables changes: + +* Argon2d is more resistent to GPU/ASIC attack optimisation. + Switching from Argon2i would require new tunables, and delay restores + (of keys backed up using the old tunables, and when the user provides the + wrong name) by ~10 minutes, so deferred for now + until there's some other reason to change the tunables. +* The ShareIdents derivation currently appends a number and sha256 hashes + to generate a stream of values. Ben M points out that HMAC is a more + typical way to do such a thing. Even better, a HKDF-Expand + (RFC5869) can generate a stream which can then be chunked up into values. + Either of these would avoid a full pre-image attack on SHA-2 breaking + keysafe. Of course, such an SHA-2 attack would be a general security + disaster. HKDF may prove more robust in the face of partial SHA-2 breaks. + Deferred for now until tthere's some other reason to change keysafe's + tunables. |