PBKDF2 iterations

[ltguillaume]

With the new implementation for encryption, the number of PBKDF2 iterations is set to a very low number. To paint a picture, already in Feb 2023, Bitwarden increased the default to 600,000, as recommended by OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2

Even the OWASP recommendations are likely to be very conservative.

I am not a cryptography expert in any way, but are you sure that - especially in this configuration - the change is an upgrade security-wise, or even on par with the previous implementation for that matter?

[bjarneo]

I think we should increase it. I do not remember the reasoning for the current number as it is around 6 months ago, not even sure it was a reason

Let us increase it to the same as bitwarden.

Appreciated!

[ltguillaume]

Could you tell me what moved you to implementing AES256? I was wondering what the benefit would be, considering:

• XSalsa20/secretbox from NaCl (libsodium or tweetnacl) is faster if there's no AES acceleration
• These "ARX-based ciphers do not require lookup tables and are inherently immune to timing attacks, something that AES could be susceptible to if not implemented correctly." (https://koofr.eu/blog/posts/xsalsa20-encryption-vs-aes-256-whats-the-difference)
• Using AES256 via the Web Crypto API apparently basically means that you're rolling your own crypto (https://news.ycombinator.com/item?id=12866776). This means that you write a lot more of the code around the encryption process yourself, which inherently causes more attack vectors than using a tested library like secretbox.

I'm not saying your new implementation is bad, I simply don't know and I'm not in a position to judge that. What I'm saying is that I got the idea that using NaCl covers a lot of potential design mistakes that can cause problems and as such can be better than using your own AES256 based implementation. It is unlikely that this project will be audited properly, so I'm not sure if the latter is the wisest decision, especially if you're already coming from a NaCl implementation.

Again, I'm no crypto expert, I'm just applying to this project what I've read from people who actually know what they're talking about.