tptacek

The hardest part of this to read for me isn't the vulnerability, but rather:

     2011 Passwords: BPKDF2-HMAC-SHA1 with 1000 iterations
     2011 Passwords: BPKDF2-HMAC-SHA1 with 600 iterations
     2011 768 bit RSA
     2011 512 bit RSA
     2011 600 bit RSA
     2011 1280 bit RSA
     2011 1024 bit RSA
     2011 1048 bit RSA
     2011 1536/1152 bit RSA (Chrome/other)
     2011 1536/1024 bit RSA (Chrome/other)
     2011 "3072 bit" D-H	
     2011 "3072 bit" D-H	
     2011 "4096 bit" D-H	
     2012 ECC Curve25519
(edited for clarity)

Major red flag. The difference between symmetric-keyed password-based encryption, RSA, Diffie-Hellman and ECC (presuming ECDH?) isn't minor; it isn't a feature-level distinction. These are radically different designs. I'm not sure I've ever seen a system as popular as this so quickly take a tour of so much of cryptography. How could anyone have any kind of grip on the safety of a system that fundamentally changes its crypto constructions so often?

A lesson here: if you have to implement cryptography --- and you and your users would be much better off if you didn't, and rather relied on a standard implementation like PGP --- do one thing and stick with it. Think of it like being a little kid lost in a shopping mall. Don't make it harder to get found.

jiggy2011

What about NACL? It seems more flexible that PGP but still provides a fairly high level of abstraction. Not sure what is a good library for doing PBKDF2 or similar though.

drostie
Probably the best KDF you'll get right now is scrypt[1]. NaCl did not see common adoption because until a relatively recent distribution called Sodium[2], it was not portable. And I mean really, not portable. Like, just to give an example, suppose you want to use NaCl in Node.js, which is pretty good about accepting C/C++ modules. You have two options today: one doesn't work on a 64-bit system[3] and one isn't C, it's JS which was transpiled with Emscripten[4]. I mean, don't get me wrong: the fact that we can now do this in pure JS via Emscripten is amazing, but yeah, NaCl was not universally buildable and therefore was not reliably deployable, and nobody really wanted to fix it until Sodium came along.

[1] https://www.tarsnap.com/scrypt.html

[2] https://github.com/jedisct1/libsodium

[3] https://github.com/thejh/node-nacl

[4] https://github.com/tonyg/js-nacl