From 3e0c4e5064e25c1d6760b9416ff079237bca6697 Mon Sep 17 00:00:00 2001 From: Kieran Date: Thu, 21 Sep 2023 21:39:34 +0100 Subject: [PATCH] Use scrypt instead of pbkdf2 --- packages/system/src/encrypted.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/system/src/encrypted.ts b/packages/system/src/encrypted.ts index 772f336e..cc269a26 100644 --- a/packages/system/src/encrypted.ts +++ b/packages/system/src/encrypted.ts @@ -1,6 +1,6 @@ -import { pbkdf2 } from "@noble/hashes/pbkdf2"; +import { scrypt } from "@noble/hashes/scrypt"; import { sha256 } from '@noble/hashes/sha256'; -import {hmac} from "@noble/hashes/hmac"; +import { hmac } from "@noble/hashes/hmac"; import { bytesToHex, hexToBytes, randomBytes } from "@noble/hashes/utils"; import { base64 } from "@scure/base"; import { streamXOR as xchacha20 } from "@stablelib/xchacha20"; @@ -15,7 +15,7 @@ export class InvalidPinError extends Error { * Pin protected data */ export class PinEncrypted { - static readonly #opts = {c: 32, dkLen: 32} + static readonly #opts = {N: 2**20, r: 8, p: 1, dkLen: 32} #decrypted?: Uint8Array #encrypted: PinEncryptedPayload @@ -29,7 +29,7 @@ export class PinEncrypted { } decrypt(pin: string) { - const key = pbkdf2(sha256, pin, base64.decode(this.#encrypted.salt), PinEncrypted.#opts); + const key = scrypt(pin, base64.decode(this.#encrypted.salt), PinEncrypted.#opts); const ciphertext = base64.decode(this.#encrypted.ciphertext); const nonce = base64.decode(this.#encrypted.iv); const plaintext = xchacha20(key, nonce, ciphertext, new Uint8Array(32)); @@ -47,7 +47,7 @@ export class PinEncrypted { const salt = randomBytes(24); const nonce = randomBytes(24); const plaintext = hexToBytes(content); - const key = pbkdf2(sha256, pin, salt, PinEncrypted.#opts); + const key = scrypt(pin, salt, PinEncrypted.#opts); const mac = base64.encode(hmac(sha256, key, plaintext)); const ciphertext = xchacha20(key, nonce, plaintext, new Uint8Array(32)); const ret = new PinEncrypted({