What is the purpose of `tomb-kdb-hexencode`?

dyne / tomb

the Crypto Undertaker

https://dyne.org/software/tomb

GNU General Public License v3.0

1.32k stars 151 forks source link

What is the purpose of `tomb-kdb-hexencode`? #471

Closed nerun closed 1 year ago

nerun commented 1 year ago

I noticed that none of the packages from the Debian (Buster oldstable, Buster backports and Bookworm testing) and Ubuntu (jammy at least) repositories come with the tomb-kdb-hexencode binary.

It's easy to compile, of course. And Debian Buster, Ubuntu and Mint has libgcrypt20-dev, easy to install with the virtual package apt install libgcrypt-dev.

But, what is the purpose of tomb-kdb-hexencode? And why tomb, even when we use --kdf, works without it?

I am asking because i am revising extras/gtomb (again) and the forge step asks for tomb-kdb-* files (line 259). But tomb-kdb-hexencode is obviously missing. So no KDF can be used with gtomb tool, one should use terminal instead.

Narrat commented 1 year ago

I don't know about that and therefore this is no clarification whatsoever. But maybe it provides some intel? I noticed this note in the README of kdf dir:

Base64 vs hexencode
-------------------

While base64 is easier to use (shell command, more compact), pbkdf2 use hex
in its specifications.
This could be solved with an option (-x for hex, defaults to base64)

And I interpret it that is was there to be more following the spec. Thinking about the age of gtomb and the argument, that pbkdf is kinda dated, one may look into adopting argon2 if there is a revisit of gtomb?

Edit: To clarify further: Point being that argon2i is seen as superior and the chance is high it is available from the distribution repos or even already installed.

nerun commented 1 year ago

Reopened it.

I agree with you. Argon2i is more up to date.

But is tomb-kdb-hexencode still used in the main code? Or it just use Base64 as default? My PR #478 removed tomb-kdb-hexencode check to use KDF to create a key with gtomb.

Exploring the extras/kdf-keys and tomb (current and old versions) seems that tomb-kdb-hexencode was NEVER used. Apparently pbkdf2 has it's own hex encode source-code inside tomb-kdf-pbkdf2*.

jaromil commented 1 year ago

Thanks for checking that. I didn't wanted to state something just relying in what I remember, but can confirm that AFAIK was never used.

nerun commented 1 year ago

Thank you @jaromil and @Narrat for all the help. I will update extras/gtomb to include argon2 as an alternative to pbkdf2.

jaromil commented 1 year ago

beware the addition of argon2 affects also the core tomb script, because it requires a new option in the header (first line of key file) stating argon2 and parameters.

Narrat commented 1 year ago

beware the addition of argon2 affects also the core tomb script, because it requires a new option in the header (first line of key file) stating argon2 and parameters.

Shouldn't this be covered already? As tomb got argon2 support with #432 ?

jaromil commented 1 year ago

I forgot that I did that 😅 perhaps because I am not yet using it in my workflow, just planning to 😅😅