Notes on weak crypto #20
Description
Some notes on chosen algorithms and parameters
- recommended to use 10k iterations for PBKDF2 in 2016, 128 is being used here.
- we might want to use Twofish instead of Blowfish.
- if we don't apply the KDF to the encryption key an attacker can brute force the encryption algorithm easily for weaker keys (< 9 characters).
I'm using SCrypt with 65k iterations and it takes 1-3 seconds to authenticate from fastest to slowest device. I recommend that you try and tune PBKDF2 on some devices.
If you store the salt of the master password, you don't need to store the hash of it. Then you can use the derived key as the encryption key. If you want to add fingerprint encryption later - you can store the masters hash encrypted with a key from the TEE that is protected by the users fingerprint. This is much faster than applying the KDF on the master but requires a fingerprint sensor.
Take a look at my project if you want, it's written in Kotlin.