consider moving Md5, Sha1 to new
unsafe/legacynamespace, document that all algorithms in it are not cryptographically secure. It may be a place for DES #4157. Same for some block cipher modes #5763.make changes to
kdfdiscussed in #6336.
1)password kdfs should be in their own namespacedone
2) implement another kdf and come up with a unified api.
suggestionPbkdf2(HmacSha1).init(iterations, salt?).deriveKey(outSlice)
3) maybe add an alias/wrapper for Blake3 kdf mode
4) suggestion: restrict size of derived key that Pbkdf2 accepts (spec allowsmaxInt(u32) * hash.digest_size)
- when making changes use arrays instead of slices if a fixed buffer is required #5851
Rocknest
All 6 comments
- consider moving Md5, Sha1 to new
unsafe/legacynamespace, document that all algorithms in it are not cryptographically secure. It may be a place for DES #4157. Same for some block cipher modes #5763.
I don't think this is a good idea. Also see https://github.com/ziglang/zig/pull/6095#discussion_r473170318
- make changes to
kdfdiscussed in #6336.- password kdfs should be in their own namespace
Agreed
- implement another kdf and come up with a unified api.
suggestionPbkdf2(HmacSha1).init(iterations, salt?).deriveKey(outSlice)
Consider implementing bcrypt or scrypt.
Also consider looking at the openssl api. I've worked on that a bit e.g. https://github.com/openssl/openssl/issues/9139
daurnimator
on 18 Sep 2020
consider moving Md5, Sha1 to new unsafe/legacy namespace
This is something that has been discussed before, but the consensus was to improve the documentation for these functions rather than move them to a legacy namespace.
MD5 and SHA1 are required by many applications and by Zig itself. But it more difficult to justify DES and unauthenticated modes in a recent project, even less so in the standard library of a new programming language.
Performance of our implementations is currently very poor due to the absence of optimized implementations. Maybe this is something to focus on first (and it has implications on the API, too , such as the way the AES core functions is exposed) before adding more constructions, especially legacy ones.
Pbkdf2(HmacSha1).init(iterations, salt?).deriveKey(outSlice)
Shouldn't the salt be mandatory?
jedisct1
on 18 Sep 2020
I just want to put one piece of guidance here which I think I am qualified to make:
- Focus more on making each API independently secure, optimized, correct, type-safe, etc. Worry less about trying to make all the APIs conform to similar interfaces, or making them iterable with reflection or whatever.
andrewrk
on 18 Sep 2020
Consider implementing bcrypt or scrypt.
Argon2 may be better a candidate. The reason being that unlike bcrypt/scrypt, it can share code with the existing BLAKE2 implementation, so that the same optimizations can be shared. But doing so will require some refactoring. It is a better case to study than another primitive that is very similar to PBKDF2.
jedisct1
on 18 Sep 2020
It is a better case to study than another primitive that is very similar to PBKDF2.
I thought it would be best to study something quite far removed from PBKDF2 so that assumptions are more general.
daurnimator
on 18 Sep 2020
It is a better case to study than another primitive that is very similar to PBKDF2.
I thought it would be best to study something quite far removed from PBKDF2 so that assumptions are more general.
Yes, this is exactly why I would suggest Argon2 instead of bcrypt, which is very close to PBKDF2.
jedisct1
on 18 Sep 2020
Related issues
andrewrk
路
3Comments
andrewrk
路
3Comments
andersfr
路
3Comments
andrewrk
路
3Comments
daurnimator
路
3Comments
Most helpful comment
Yes, this is exactly why I would suggest Argon2 instead of bcrypt, which is very close to PBKDF2.