Open LeftyBC opened 9 years ago
It might be useful to have scrypt give you the the 48 bytes you need for AES-256-CTR with HMAC-SHA-256, or just 32 bytes for AES-256-GCM.
Will CTR mode work for multiparty systems? Would all parties need to agree on the counter, or is it stored within the message somehow?
With CTR you generally generate a random counter that you can prepend to the message (inside the MAC). This does add 16 bytes of overhead, but it's the most robust way.
Currently we use PBKDF2 to derive the AES key for encryption/decryption.
A better alternative would be scrypt, or the HKDF from whatever HMAC function we end up choosing.