You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So it sounds like you're doing similar to what I'm doing with the YubiKey except relying on a fast hash of the password/parameters rather than a PBKDF output and then doing Argon2 after the YubiKey challenge-response. It feels a little dodgy hashing the password in any way without a PBKDF.
Indeed, the "oracle" (my YubiKey replacement) could note down the queries it receives, and thus it could try to do some brute-forcing based on that.
However, in my particular case, that "partial key" (that contains a hash of the password and other parameters) also depends on the "salt" / "nonce" of the file to be encrypted / decrypted, thus a malicious oracle also has to brute-force the salt / nonce.
On the other hand, now that you mention it, I think I can move the oracle calling after applying the Argon2. However, in that case the Argon2 input isn't influenced by the oracle output... (I'll open an issue on my project on the issue and think about it... Perhaps one solution would be to apply something like bcrypt instead of the fast-hash for the password, thus also having something cache-hard, or perhaps having two rounds of Argon2...)
We should investigate if perhaps the Argon2 derivations shouldn't be done before the oracles call.
The current flow is:
hash password (and parameters) with file encryption salt / nonce;
call oracle with something based on that hash;
call Argon2 with the password and salt derived from the oracle output;
At the moment, if the encryption salt / nonce is random, the oracle can't do anything better than just bruteforcing the final encryption key.
However, for password derivation, there is no randomized nonce.
If we call Argon2 before the oracle, then the output of the oracle isn't an input of Argon2. (Low risk?)
If we call the oracle before Argon2, the oracle gets a fast-hash of the password. (High risk?)
The text was updated successfully, but these errors were encountered:
As noted by @samuel-lucas6 in:
=> samuel-lucas6/Cahir#1 (comment)
To which I've replied in:
=> samuel-lucas6/Cahir#1 (comment)
We should investigate if perhaps the Argon2 derivations shouldn't be done before the oracles call.
The current flow is:
At the moment, if the encryption salt / nonce is random, the oracle can't do anything better than just bruteforcing the final encryption key.
However, for password derivation, there is no randomized nonce.
If we call Argon2 before the oracle, then the output of the oracle isn't an input of Argon2. (Low risk?)
If we call the oracle before Argon2, the oracle gets a fast-hash of the password. (High risk?)
The text was updated successfully, but these errors were encountered: