Comments (12)
I'm open to the idea, but I have a couple of serious concerns:
- Scrypt is a memory-hard alternative to PBKDF2 which could easily open up an out-of-memory attack vector if it's used on web servers, as credential is intended to be used.
- Scrypt also appears to be the subject of far less academic research, which in the security world means that there is a greater chance of unknown vulnerabilities and undiscovered exploits.
from credential.
I have to admit that I am not a security expert. Just wanted to give the idea since I read a little about it in Twitter discussions and Marco Arment choosing scrypt in favor of PBKDF2.
@dilvie your reasons seam very reasonable. That is why I really like your library!
from credential.
Yeah, I took a close look at both scrypt and bcrypt to see if I should include support by default, but I was unable to find implementations with broad use and rigorous tests, and neither algorithm is as well researched as PBKDF2. I want to make it dead simple for developers to make a relatively secure choice. Sometimes that means we should make the most trustworthy choice the only choice... at least until more support surfaces for alternatives.
from credential.
For ease of reference, here is the seminal OpenBSD paper on bcrypt:
http://www.openbsd.org/papers/bcrypt-paper.pdf
from credential.
According to OWASP, PBKDF2 is the only algorithm that qualifies for FIPS certification.
I think that rules the others out for now. I don't want to complicate matters by making people choose if the only available choices are less secure.
from credential.
While PBKDF2 may be the only algorithm qualifying for FIPS certification, I am personally wary of hanging any hat on FIPS as a measure of security, per se.
To quote Ted Unangst's post The future (or lack thereof) of LibreSSL’s FIPS Object Module:
[FIPS is] widely recognized as a worthless checkbox.
...
Note that FIPS mode isn’t just worthless, it’s actively harmful. It creates perverse incentives that lead to a toxic development process where necessary work doesn’t happen and unnecessary work does.
Which is not to say that FIPS compliance is not valuable - just that the value is orthogonal (and some argue detrimental) to security.
One take-away from this might be to make sure the API is extensible, to support bcrypt or scrypt or another algorithm as a plugin, without having to modify the credential code.
Just a thought. :)
Cheers
from credential.
Which is not to say that FIPS compliance is not valuable - just that the value is orthogonal (and some argue detrimental) to security.
Noted. I agree with that view, but in this case, the FIPS requirement does reflect the consensus of the security community as far as I'm aware. PBKDF2 is very battle hardened and well researched, and OWASP specifically ranked those recommendations.
One take-away from this might be to make sure the API is extensible, to support bcrypt or scrypt or another algorithm as a plugin, without having to modify the credential code.
That would be ideal. Is this even possible? They don't all take the same set of parameters. Would we need to expose a lower level API for algorithms? You may notice if you read the source that I did have swapping algorithms in mind when I wrote it. =)
I just haven't taken the time to try to do it, yet. I'm definitely open to a pull request if it doesn't weaken the security. You really have to be careful about opening up new attack vectors when you increase the surface area of the API...
from credential.
Just another quick link to crypto.SO for ease-of-reference:
Bcrypt has the best kind of repute that can be achieved for a cryptographic algorithm: it has been around for quite some time, used quite widely, "attracted attention", and yet remains unbroken to date.
Bcrypt is regarded as being more costly to attack because it is less susceptible to GPU & FPGA optimizations (which speed up SHA-* computations by orders of magnitude, and these are the basis for PBKDF2). There are no equivalent hardware based optimizations for Blowfish, which serves as the basis for bcrypt. Blowfish however, unlike SHA-256, has never been evaluated by NIST.
from credential.
I am aware of GPU and FPGA attacks on PBKDF2, however, if memory serves, Blowfish can be accelerated by large memory arrays which can also be built for less than $2k with current hardware. Am I mistaken in that belief?
from credential.
A little more info on hardware acceleration for cryptography. Looks like essentially, hardware reduction of the need for DMA transfers can dramatically improve blowfish attack speeds.
from credential.
Great question. I recalled Blowfish being faster with larger memory space, but I do not know - but would love to see - some comparisons. I have a suspicion that Blowfish is still substantially slower/more expensive than SHA-*, but it would be great to see hard numbers.
from credential.
Agreed. =)
from credential.
Related Issues (20)
- callback, promise or both HOT 10
- I can't make the cli work HOT 8
- Verifying with a pre-parsed JSON object HOT 4
- What if an attacker know that I am using this library? HOT 9
- The use of "time" - a weakness worth noting? HOT 13
- Why hash() just return string rather than object? HOT 2
- fix failing CI server
- Does it really needs webpack? HOT 7
- Node v6 deprecation - "crypto.pbkdf2 without specifying a digest is deprecated" HOT 3
- Release v2.0.0 on npm HOT 3
- Support bcrypt hashing method? HOT 1
- performance optimisation HOT 4
- Make errors programmatically processable HOT 7
- Do not encourage people to write security issue in public places HOT 1
- Default number of iterations seems extreme HOT 2
- Due to the large number of iterations, Its consuming the full CPU usage. HOT 7
- Update deps, freshen code, release new major version. HOT 7
- Bad default settings HOT 4
- the 'verify' function takes too much time, about 1.3 seconds HOT 2
- Inconsistent use of bytes length/encodings? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from credential.