After Scrypt, run PBKDF2-HMAC-SHA512-SHA3 for a few iterations
maxtaco opened this issue · comments
Maxwell Krohn commented
Right now, we're relying on PBKDF2-HMAC-SHA512-SHA3 as the final stage of key stretching, but that means we're vulnerable to a bug in SHA-512 leaving correlations among adjacent blocks (and thereby weakening the cipher cascade). I think the simple thing to do is a quick PBKDF2 with HMAC-SHA512 XOR HMAC-SHA3 as a finishing pass on the output of Scrypt.
Maxwell Krohn commented
Some progress, I implemented the KDF in keybase/python-triplesec@d8a1529