search

campeon23 / split-fetcher

The code is a concurrent file downloader in Go that splits a file into multiple parts, downloads them in parallel, and assembles the final file, with support for Etag validation to ensure file integrity.
MIT License
1 stars 0 forks source link

Transition to Argon2 for Key Derivation #149

Closed campeon23 closed 1 year ago

campeon23 commented 1 year ago

Description: Our system currently derives keys using PBKDF2 combined with SHA-256. While this method remains secure, Argon2 has emerged as a more resilient algorithm, especially against GPU-based attacks.

Recommendation: Shift to Argon2 for password hashing to enhance overall security.

Example Fix: Using Go's golang.org/x/crypto/argon2 package:

import "golang.org/x/crypto/argon2"

password := []byte("userpassword")
salt := []byte("somesalt")

key := argon2.IDKey(password, salt, 1, 64*1024, 4, 32)

Acceptance Criteria:

  • Implement Argon2 as the key derivation function.
  • Adjust any dependent functions or methods.
  • Update tests to accommodate the changes.
  • Document the benefits and reasons for this migration.

Severity Level: Medium

campeon23 commented 1 year ago

Changes have been successfully implemented. Argon2 is now integrated as our primary key derivation function, replacing our former approach. All related functionalities have been duly adjusted for this transition. Updated tests confirm the seamless integration of Argon2. The accompanying documentation has been enriched, detailing the reasons for this strategic shift and emphasizing the enhanced security and performance gains with Argon2. Thank you for the collaborative efforts in making this integration successful.