Open bakkot opened 3 years ago
Hi :wave: Personally, I definitely agree. It's unfortunate that, if developers are going by what's available in Web Crypto, that they're led to choose PBKDF2. If there is implementer interest for this, it would be nice to add a more modern alternative to the spec indeed.
IMO, it'd make the most sense to add Argon2, as it's the most modern of the three, and https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/ seems quite far along.
Key derivation functions somewhat stand out in Web Crypto as one of the few algorithms that don't have any application in TLS (usually one of the main drivers behind implementing crypto in a browser). However, web apps of course have different needs than TLS does. So for those web apps that need a KDF, it would be great to add a more modern one indeed.
I definitely agree on the need for supporting something other than pbkdf2
.
I'm under the impression, but without having any data, that scrypt
is deployed at a much larger scale than argon2
and that it might be worth getting it included first. Scrypt already has an informational RFC, and from a security perspective has been proven to be maximally memory-hard.
So I think that Scrypt would be a better candidate shorter-term, and then add argon2
once the RFC has been finalised at the CFRG.
The Argon2 RFC has been finalized: https://datatracker.ietf.org/doc/html/rfc9106.
I've opened an issue in WICG/proposals, per https://github.com/w3c/webcrypto/issues/280#issuecomment-1151509624.
pbkdf2
is getting rather old. While it's still acceptable, society as a whole has put quite a lot of work into fast hardware for computing SHA-256 in the past decade. For this reason it is no longer the default recommendation. Specifically, as I understand it,bcrypt
andscrypt
are the standard boring choices these days (withargon2
sometimes showing up).Cite: the "password handling" section of this essay gives the right answers for password handling as
It would be nice if the web platform exposed something other than the "if nothing else is available" option.