On Thu, Oct 10, 2013 at 10:29:01AM -0700, Tony Arcieri wrote:
> If you're not going to use scrypt (which I should really bug Frank about
> getting added to libsodium again) you should really use a proper KDF for
> this purpose like PBKDF2. It has a security proof among other things.
Well, Pieter told me it would be best to stick with libsodium and not
add another library dependency. This leads to 2 options: adding some 3rd
party code (like the scrypt stuff of star) directly into my codebase,
or writing my own. If I'd do the first, then I'd become the maintainer
of some crypto algorithm stuff, which is not a role I want to fill out.
And writing things like PBKDF2 is even worse.
So, I'd better like to stick with what libsodium provides, since they're the
cryptographers. Putting in a loop like I did, requires no special crypto
knowledge but solves the problem (which is, as already said not the best
of the possible solutions of course, but still better than using the
passphrase directly).
best regards,
Tom
--
PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
