Comment by d-z-m

2 years ago

> I used the parameters suggested in the documentation [1], which follow the RFC

Where in the RFC is your parameter set mentioned? I don't see it anywhere[0]. The only parameter set I see mentioned with memory requirement as low as 64 MiB have t=3, not t=1. I believe the Go documentation might be outdated.

[0]: https://datatracker.ietf.org/doc/rfc9106/

> I agree pepper confusing (because the pepper is supposedly secret), but this is not a salt either, as a salt is supposed to be public, but unique. Do you have better naming that you can suggest?

If it's tweakable at build, perhaps pepper makes more sense.

7 comments

d-z-m

Reply
ncruces  2 years ago

Yep, I just made it tweakable at build, which was always the intent, although I expect the default to be popular.

https://github.com/ncruces/go-sqlite3/blob/67d859a5/vfs/adia...

That's unfortunate about the default parameters, but note that you can also replace the KDF altogether (besides just not using it).

You just need to implement this interface, with any HBSH construction and KDF:

https://github.com/ncruces/go-sqlite3/blob/67d859a5/vfs/adia...

If you keep the HBSH and change the KDF, your file format will be “compatible.”

  • d-z-m  2 years ago

    > That's unfortunate about the default parameters, but note that you can also replace the KDF altogether (besides just not using it).

    Right...I would argue if you're going to expose it to users as an option, your parameter set should meet the minimum hardness parameter set in the RFC. Yours is falling off the bottom.

    • ncruces  2 years ago

      I don't disagree, and after some consideration and testing, will use the RFC recommendation of 3 iterations, 4 lanes, 64 MiB RAM.

      However, it's also important to take note of how the KDF is used, and what is used by comparable solutions in equivalent settings.

      For instance, the official extension, sold by the SQLite authors, uses RC4:

      “For the "-textkey" option, up to 256 bytes of the passphrase are hashed using RC4 and the hash value becomes the encryption key. Note that in this context the RC4 algorithm is being used as a hash function, not as a cryptographic function, so the fact that RC4 is a cryptographically weak algorithm is irrelevant.”

      The textkey= parameter is not really appropriate for interactive use, rather it is a convenient way for a user to specify a key in text form, as a URI parameter, without weakening it (by e.g. making NULs impossible, and reserved characters inconvenient to encode).

      If you're taking a password from a user interactively, you should really be using your own password hashing, then using hexkey=. I'll try to make this clearer in the documentation.

      4 replies →