Am 2018-03-11 01:48, schrieb Sergey Matveev:
*** Markus Teich [2018-03-10 17:09]:
I don't know crypto_argon2i. I'd use the standardized HKDF2 scheme to
derive
the key.
HKDF algorithm is not aimed to be used with passwords. It is ok to be
used with Diffie-Hellman outputs for example. Password-derived keys are
required (ideally) to use CPU and memory hard one. Argon2, beeing the
PHC winner is a good choice (however I prefer Balloon for its
simplicity
and (seems to be) higher security margin
(https://crypto.stanford.edu/balloon/),
but it is not standardized).
Ah, thanks for the reminder! I always forget about this caveat of HKDF2
with
passwords… -.-
I'm not sure why you would need a mac if you don't use a malleable
encryption
scheme.
Encryption with authentication is *always* right. Modern encryption
techniques always use authenticated encryption schemes (deprecating
unauthenticated modes at all). MAC is not only about malleability and
integrity, but about authenticity. No data should be decrypted (or any
kind processed) before it is authenticated. It is always right.
You are correct that it doesn't hurt to add a MAC. I was thinking it
wouldn't
make sense to authenticate to myself. Could you point me to an attack
scenario
where not having a MAC in this scheme is bad?
--Markus
