Closed fschwebel closed 8 years ago
In certitude/helpers/crypto.py, it is said Create an AES key from text (password); Padding is used as a countermeasure to SHA2 rainbow tables Padding before applying a SHA2 is not a secure KDF, see https://crypto.stackexchange.com/questions/9345/whats-the-most-secure-way-to-derive-a-key-from-a-password-repeatably Furthermore, the use of an authenticated encryption mode seems to be preferable since the attacker would have a decryption oracle, see http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html.
certitude/helpers/crypto.py
Create an AES key from text (password); Padding is used as a countermeasure to SHA2 rainbow tables
In
certitude/helpers/crypto.py, it is saidCreate an AES key from text (password); Padding is used as a countermeasure to SHA2 rainbow tablesPadding before applying a SHA2 is not a secure KDF, see https://crypto.stackexchange.com/questions/9345/whats-the-most-secure-way-to-derive-a-key-from-a-password-repeatably Furthermore, the use of an authenticated encryption mode seems to be preferable since the attacker would have a decryption oracle, see http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html.