Skip to content

Commit

Permalink
Parameterize and lower bcrypt cost
Browse files Browse the repository at this point in the history
  • Loading branch information
ethanfrey committed Oct 24, 2017
1 parent 0a5b1d9 commit dfc4cdd
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions keys/cryptostore/encoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,20 @@ import (
"github.com/tendermint/go-crypto/bcrypt"
)

const (
// BcryptCost is as parameter to increase the resistance of the
// encoded keys to brute force password guessing
//
// Jae: 14 is good today (2016)
//
// Ethan: loading the key (at each signing) takes a second on my desktop,
// this is hard for laptops and deadly for mobile. You can raise it again,
// but for now, I will make this usable
//
// TODO: review value
BCryptCost = 12
)

var (
// SecretBox uses the algorithm from NaCL to store secrets securely
SecretBox Encoder = secretbox{}
Expand All @@ -30,7 +44,7 @@ func (e secretbox) Encrypt(privKey crypto.PrivKey, passphrase string) (saltBytes
}

saltBytes = crypto.CRandBytes(16)
key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), 14) // TODO parameterize. 14 is good today (2016)
key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost)
if err != nil {
return nil, nil, errors.Wrap(err, "Couldn't generate bcrypt key from passphrase.")
}
Expand All @@ -44,7 +58,7 @@ func (e secretbox) Decrypt(saltBytes []byte, encBytes []byte, passphrase string)
// NOTE: Some keys weren't encrypted with a passphrase and hence we have the conditional
if passphrase != "" {
var key []byte
key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), 14) // TODO parameterize. 14 is good today (2016)
key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost)
if err != nil {
return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase")
}
Expand Down

0 comments on commit dfc4cdd

Please sign in to comment.