[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <D5D02C22-94E6-42CE-807B-14C718B21F1E@goldmark.org>
Date: Fri, 14 Aug 2015 14:11:01 -0500
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Argon2 improvement thread
On 2015-08-14, at 9:12 AM, Thomas Pornin <pornin@...et.org> wrote:
>> unless you want to include generating random salts too.
>
> Oh yes I do want that.
I emphatically concur.
One of the goals of this whole project is to be able to
provide a simple recommendation to developers that do
not depend on the developer understanding things like salt.
Remember that “developer” covers the range of people
developing cryptographic systems to people coding up website
login pages in PHP.
> It is part of the deal. A simple-to-use API that
> minimizes risks of misuse would offer two functions: one for generating
> the hash _and_ the salt.
> Such an API can be implemented more or less generically around a core
> single-call API that expects the salt as parameter and outputs raw
> binary. However, I think it is important that such an API is provided
> along with the "reference" implementation, because being tagged
> "reference" will lower the probability that other people reinvent it
> poorly.
The difficulty is that the reference implementation should be as
portable as possible, but calls to a CSPRNG are system dependent.
Cheers,
-j
Powered by blists - more mailing lists