Open demhademha opened 2 years ago
Mbed TLS primarily targets environments with limited resources (microcontrollers) where memory-hard functions aren't really usable and even CPU-hard functions can only be used with a low cost factor. This type of devices rarely uses passwords. As a consequence, key stretching functions are low-priority for us, and memory-hard functions even lower.
This doesn't mean we're against having those algorithms in Mbed TLS. But it means that the Mbed TLS team is very unlikely to work on the implementation. We would welcome an external contribution, but please make arrangements to ensure that we will have time to review it, as review time is currently our main bottleneck. (Higher-priority items such as SHA3 and EdDSA are still waiting on review time.)
Suggested enhancement
I think it would be useful to have the Argon2 KDF contained within mbedtls. It's the winner of the PHC and the recommendation of OWASP for new applications. There is reference code available
Justification
Mbed TLS needs this because argon2. is the winner of PHC: I believe that this would be a useful key derivation fucntion. Currently, one has to use argon2 separately from mbedtls. Argon2 is also considered more secure than bcrypt. currently, there are two OpenSSL pull requests which are in the process of adding argon2, which may be useful for the implementation.