Merge mintkey in #36
Comments
|
This is noted in a comment. I wasn't sure how to set up bcrypt securely, so I left it as a TODO until someone did it wrtie. (Better missing than buggy). Could you make a PR to show me how? The code to modify is here: I guess it should do something like: But not sure how to deal with salts and headers. Also, we need to clean up the local file format as per #13 so maybe we should do that to add support for salts. I don't know the proper design here. Very happy to have someone with more experience in cryptography work on this. |
|
Is bcrypt even the right choice? Scrypt seems much better against GPU cracking, and is in the go/x/crypto libs: Or even other algorithms like argon2, the winner of the password hashing competition: Notes on go implementations, which seem not really production-ready: |
|
This is implemented in #38 |
|
I think we should stick with the proven crypto, which in this case is bcrypt. It has aged nicely for 14 years without any theoretical vulnerabilities. Scrypt with 3-4 is much less proven. It is more memory heavy and hence better against FPGA cracking. Some sources: |
|
It would be great to make this configurable somehow. At least bcrypt and scrypt. But I think that is related to #13 |
|
I'll look into that once I have some time |
|
configurable kdf is done in #58 via the armor headers. we can add support for scrypt if we like down the road. |
We need to use bcrypt for cryptostore.
Lets merge in https://github.com/tendermint/mintkey/blob/master/cmd/mintkey/common.go
The text was updated successfully, but these errors were encountered: