argon2-browser VS draft-irtf-cfrg-opaque

It works by the way on CLI and mobile, and mobile is especially slow on some low-end android devices. It *should* also be possible to make parallelism work for the WebAssembly version, but for some reason the issues with threading were never ironed out. I'm not sure whether it's worth investigating that, or to just add SIMD support where possible, and wait for webcrypto to add argon2.

> So a project like this? https://github.com/antelle/argon2-browser

Notice how they don't provide any benchmarks that aren't Native or WASM?

https://soatok.blog/2022/12/29/what-we-do-in-the-etc-shadow-...

This doesn't help iOS users in Lockdown mode. It may also break for users who run their OS in FIPS mode.

Ideally I'd like to use something like of argon2 to derive my key because that's the de facto best algorithm for the purpose. There are a few WASM ports of it but they don't seem maintained and they don't play nice with the bundler I'm using.

> is there really fast enough implementations available to the browser

Browsers have pretty good support for surfacing native code SHA family hash functions which you can use to speed up PBKDF2. It's called the Web Crypto API and it's available even in Internet Explorer 11. [1]

If you're willing to drop support for IE11 and older phones like the iPhone 4S, then you get access to WebAssembly. With WASM you can get a bunch of custom algorithms to be quite fast. The Argon2 browser WASM library claims to be only about 10x slower than optimized native code. [2]

It's not perfect, but it isn't as bad as it used to be with just pure JavaScript.

--

[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_...

[2] https://github.com/antelle/argon2-browser

This can naturally be combined with login authentication using https://cfrg.github.io/draft-irtf-cfrg-opaque/draft-irtf-cfrg-opaque.html which also stores an encrypted blob on the server in a similar fashion, and that avoids ever sending user passwords to server.

When I was doing some research into building an app that encrypted data similar to these cloud password managers, I encountered OPAQUE[1] which seems to be the ideal way to perform authentication and securing a master encryption key. It is an asymmetric PAKE that also has a step for providing a salt. This removes the need to do what LastPass does with treating the first hash as a password. There is a great article from Cloudflare on how it works[2], and a working implementation of the spec in rust[3].

[1]: https://github.com/cfrg/draft-irtf-cfrg-opaque

[2]: https://blog.cloudflare.com/opaque-oblivious-passwords/

[3]: https://github.com/novifinancial/opaque-ke