Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose Argon2 password derivation #50

Open
haggholm opened this issue Dec 23, 2018 · 3 comments
Open

Expose Argon2 password derivation #50

haggholm opened this issue Dec 23, 2018 · 3 comments

Comments

@haggholm
Copy link

The README (very correctly) notes that you should not derive a key without running it through a strengthening function like PBKDF2, but libsodium itself already ships with one—Argon2. From brief inspection, it seems that the nacl_raw property (the WASM code?) contains this functionality, e.g. nacl_raw._crypto_pwhash_argon2id_alg_argon2id13 et al.

I’d love to create a PR, but having no experience with WASM-compiled code, I worry that a half-baked PR is more likely to either be a nuisance or a security hole; looking at nacl_cooked.js, I am guessing it isn’t a very big task…for someone who knows what they’re doing, which (alas) I here do not.

Any chance of exposing the Argon2 API?

@tonyg
Copy link
Owner

tonyg commented Dec 23, 2018

Would you be able to draft some (failing) test cases and documentation, do you think? I think then it'd be straightforward to write the wrapper stubs and get the tests to pass.

@haggholm
Copy link
Author

Thank you for the quick reply! I should make it very clear that I’m quite new to the whole setup (emscripten, wasm, and not least NaCl/libsodium itself), so I may be botching conventions quite badly, or even misusing it. In trying to piece together a solution by combining your docs (+TS bindings) and the docs at https://libsodium.gitbook.io/doc/, it seems to me that what I’m missing is what fails here:

https://github.com/haggholm/nacl-test

Since I’m just starting to look at it, I may be providing bad inputs &c., but it seems to me that it should be possible to get it and https://github.com/ranisalt/node-argon2 to generate the same output. (And I’d much rather do it through js-nacl, since as I understand it, I should be able to run the same code in Node.js and the browser.)

@tonyg
Copy link
Owner

tonyg commented Jan 15, 2019

That sounds about right. Can you make a PR that integrates with the test cases and docs (such as they are) as they stand?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants