providing a password hashing scheme / KDF would be nice
Opened this issue · 8 comments
I could do this, but I'd suggest a generic KDF interface + an argon2 implementation, not scrypt.
@xavierleroy is it OK to dynamically link against argon2 reference implementation?
Maybe this might help:
https://github.com/Khady/ocaml-argon2
@janilcgarcia apparently Xavier likes https://en.wikipedia.org/wiki/PBKDF2.
I don't know if this is the one that won the password hashing competition though.
PBKDF2 is the only KDF algorithm I know, just because it is widely used, but I make no claim that it is the best. For me it's hard to know which KDF (or KDFs plural if absolutely necessary) Cryptokit should support.
Apparently, Argon2 won a password hashing open competition:
https://password-hashing.net/
@hannesm might have an opinion
So, I think we need a generic interface for those. PBKDF2 runs everywhere but everyone should be migrating towards Argon2 now.
I'm afraid I'm not enough a OCaml wizard to say what a good interface that covers the parameters for the two, considering Argon2's parameters are extremely different from PBKDF2's.
If you guys need the parameters for both of them, PBKDF2 needs a MAC function and the number of iterations. Argon2 needs the variant to use (i, d or id), the memory cost (in KiB), time cost (in number of iterations) and parallelism.
As of other possible implementations there is bcrypt and SCrypt, but I'm not sure how relevant these are nowadays.
I am also not a crypto expert.
I have read good things about scrypt in the past:
https://www.tarsnap.com/scrypt.html
" We estimate that on modern (2009) hardware, if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against PBKDF2."