*** Michael Forney [2018-03-08 22:10]: >I'm no expert either (so follow this at your own risk), but I also did >some investigation, and I think either of the following schemes would >work: >(1)
This scheme seems ok and some kind of classical one. Simple and working. >It's not clear to me if it's okay to use the plain crypto_argon2i with >just a fixed secret salt. A related scheme might be to use >crypto_argon2i_general with a salt generated for each encryption and a >single saved key. Then, the salts could be stored as plain text the >output file (and probably authenticated with crypto_lock_aead). >Perhaps one benefit is if someone somehow figured out the encryption >key for one password, they still wouldn't be able to decrypt the >others. According to the manual, _general supports keyed hashing of additional data. In your context there is no need to authenticate something additional. So _general is useless here. You can generate salt for each encryption -- nothing wrong with that, but you are assuming that adversary could compromise your password. I assume that single passphrase is used to encrypt all the passwords, so different salts won't help your here. In my opinion, different separate salts bring nothing to security. >(2) Personally I do not like this setup. Anyway, all security depends on the passphrase human need to input. Never use asymmetric cryptography when you have to. Your password-encryption task obviously does not need any kind of asymmetry. >For (2) I'm not sure if the nonce is necessary or not, since passwords >are encrypted with randomly generated single-use keys (so maybe a >fixed value is sufficient; it is still only used once per key). When keys are guaranteed to be unique and used only once (for one encryption/decruption) -- it is safe to use zero nonce. -- Sergey Matveev (http://www.stargrave.org/) OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF
signature.asc
Description: PGP signature
