diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2017-08-16 11:41:25 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2017-08-16 11:41:25 -0700 |
commit | 379f036b39e0f7dac360ba04b281f6ea4ce8f20e (patch) | |
tree | 01a86517d6234562088561c3c4b51365ed722807 /doc/todo/future_encryption_tunables_changes.mdwn | |
parent | 680449e656820db2b899a8631060cf62359b9b74 (diff) | |
parent | 0229f026b1ae0344c4c052593564800035268d81 (diff) | |
download | keysafe-379f036b39e0f7dac360ba04b281f6ea4ce8f20e.tar.gz |
Merge tag '0.20170811'
tagging package keysafe version 0.20170811
# gpg: Signature made Fri 11 Aug 2017 03:58:54 PM MST
# gpg: using RSA key 28A500C35207EAB72F6C0F25DB12DB0FF05F8F38
# gpg: Good signature from "Joey Hess <joeyh@joeyh.name>" [full]
# Primary key fingerprint: E85A 5F63 B31D 24C1 EBF0 D81C C910 D922 2512 E3C7
# Subkey fingerprint: 28A5 00C3 5207 EAB7 2F6C 0F25 DB12 DB0F F05F 8F38
Diffstat (limited to 'doc/todo/future_encryption_tunables_changes.mdwn')
-rw-r--r-- | doc/todo/future_encryption_tunables_changes.mdwn | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/todo/future_encryption_tunables_changes.mdwn b/doc/todo/future_encryption_tunables_changes.mdwn new file mode 100644 index 0000000..8a9b29d --- /dev/null +++ b/doc/todo/future_encryption_tunables_changes.mdwn @@ -0,0 +1,18 @@ +If switching any of the encryption tunables for some reason, +consider making these changes all at once: + +* Argon2d is more resistent to GPU/ASIC attack optimisation. + Switching from Argon2i would require new tunables, and delay restores + (of keys backed up using the old tunables, and when the user provides the + wrong name) by ~10 minutes, so deferred for now + until there's some other reason to change the tunables. +* The ShareIdents derivation currently appends a number and sha256 hashes + to generate a stream of values. Ben M points out that HMAC is a more + typical way to do such a thing. Even better, a HKDF-Expand + (RFC5869) can generate a stream which can then be chunked up into values. + Either of these would avoid a full pre-image attack on SHA-2 breaking + keysafe. Of course, such an SHA-2 attack would be a general security + disaster. HKDF may prove more robust in the face of partial SHA-2 breaks. + Deferred for now until tthere's some other reason to change keysafe's + tunables. +* Perhaps use CHACHA2 instead of AES? |