scrypt
phc-winner-argon2
scrypt | phc-winner-argon2 | |
---|---|---|
15 | 14 | |
460 | 4,656 | |
0.7% | 0.7% | |
7.0 | 0.0 | |
26 days ago | about 2 months ago | |
C | C | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
scrypt
-
Looking for file encryption method? (In order to upload cloud)
Check out the scrypt encryption tool.
-
A warning to always remember that Obsidian Sync is potentially dangerous
Given that the encryption algorithm is open source (https://github.com/Tarsnap/scrypt) can you try to explain what you mean here?
-
OpenSSL and a rookie (me)
I wouldn't use OpenSSL personally. If you just need simple but secure symmetric encryption, checkout the scrypt(1) encryption utility from Tarsnap. If you need support for public keys, check out age(1).
- Ask HN: What does everyone use for encrypting their personal stuff?
- Intel and AMD CPUs vulnerable to a new speculative execution attack (RETBLEED)
-
What is the best encryption for files?
scrypt if you strictly only need symmetric encryption.
-
Litecoin 😎
^ "scrypt page on the Tarsnap website". Retrieved 21 January 2014.
-
Ask HN: Where to ask for feedback about a cryptography related tool
First of all I know that "implementing your own cryptography is bad". However, at some point, one does stumble upon a use-case that is not (well) covered by existing tools.
Now, assuming one has already done his due-diligence and has read (and hopefully understood at least the main ideas of) cryptography related articles / posts / etc. (especially in the area pertaining to what one wants to build), and thus we can assume one is not a complete newbie in this mater, however, nor is he an expert. Basically we can assume he is an "amateur".
Where would one go with his design to ask for feedback about it, in the hope to at least eliminate some weaknesses that one (as a non expert) might have overlooked. (I'm not speaking here about "proofs" or "audits".)
----
More specifically ---- but please let's not get into this right now, this being just an example ---- I'm trying to implement something similar to `scrypt` (the encryption utility, that uses the `scrypt` PBKDF, ) or `age` (), as a replacement to my current solution that relies on GnuPG.
- Hat.sh V2 release - simple, fast, secure client-side file encryption.
-
Audacity Is Now A Possible Spyware, Remove It ASAP
It entirely does and that's exactly my point. Most "hashes" are designed to be fast, for data validation/checking whatever. For securing data (passwords, anonymisation, etc) you want a "hash" to be as slow as possible. Scrypt for example is designed to be extremely slow and use much memory (making GPU-based parallelisation useless and driving up the cost of CPU-based work). The default settings for five-second hashes changes their 18 hour estimate to a bit over two years... and that's assuming you don't turn it up further.
phc-winner-argon2
- Argon2 Password Hashing Utility
- User tool to use Argon2 ideally Argon2id
-
PSA: upgrade your LUKS key derivation function
Argon2, and it's derivations, are all memory hard. Beyond that, why change from 2i to 2id?
-
Why Argon2d and not Argon2id?
''Even though https://github.com/p-h-c/phc-winner-argon2 was standardized only somewhat recently, it is the result of the https://password-hashing.net/ and was a late re-design of Argon which also picked up ideas from a few other finalists. Since then there have been attacks on it, which caused the scheme to be tweaked to counter them better, this is why we have Argon2 v1.3 as the most current version, you may want to note that most of these attacks mostly weakened Argon2i and not Argon2d. Now during the competition results came up that your defense against time-memory trade-off attacks will suffer if you make sure that your scheme is immune to the various kinds of side-channel attacks that people have come up with (which also includes more "crazy" stuff like leaked intermediate state). Because of this, it was decided that there should be two versions: Argon2i and Argon2d. One offering the best possible protection while trying its best to be immune against side-channel attacks (by using data- and password-independent memory access patterns) and the other dropping these requirements and all-out optimizing against such attacks (by using data- and possibly password-dependent memory access patterns). Argon2d offers better protection than Argon2i at the expense of being more vulnerable to side-channel attacks. Now you have to ask yourself: Do these apply? No, not really. You said that you are on Android, which is not exactly known for high platform security, so if you have an attacker in such a privileged position to execute something like cache-timing attacks or similar attacks that try to exploit memory access patterns, your user has already much bigger problems anyways. It's a similar logic as with AES: https://en.wikipedia.org/wiki/Advanced\_Encryption\_Standard#Side-channel\_attacks, but these have never been observed in the wild, probably because other options are much easier, more reliable and equally as effective. So the conclusion is: You want to use Argon2d. So for whom is Argon2i? People who need to run applications on shared hardware or where timing attacks are a real thread. For example if you run a webserver in a public cloud on shared hardware. Then you have to be worried about who else is on the same CPU. And with webservers it's also easier to measure the timing of reactions and trying to deduce information from that."
-
The forgotten mistake that killed Japan’s software industry
And if you don't like my code you should take a look at the reference implementation.
-
Can't find documentation for C library, openssl for hashing.
AFAIK, Argon2 is the algorithm that's currently recommended for this. OpenSSL doesn't have support for it, so I'd recommend using the Argon2 reference implementation instead.
-
Which argon2 crate to use?
Which one should I use in terms of performance/standards? How about their performances comparing to the c implementation, https://github.com/P-H-C/phc-winner-argon2?
-
Is anyone aware of an argon2/argon2id javascript implementation that will work in both NodeJS and the beowser and produce the same hashes?
Did you try the Argon2 test vectors on each? They should all come out the same for both implementations, any implementation that doesn't match the test vectors is buggy.
-
Intel and AMD CPUs vulnerable to a new speculative execution attack (RETBLEED)
> Is there anything stronger than blowfish?
I think you mean bcrypt..
Both Argon2 and scrypt win over that:
https://github.com/P-H-C/phc-winner-argon2
-
The entirety of Twitch has reportedly been leaked (Source codes and user payouts among the data) | VGC
Here is the documentation for Argon2 to see why and how it's different, also why it won an award: https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
What are some alternatives?
age - A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
orion - Usable, easy and safe pure-Rust crypto
GpgFrontend - A free, open-source, robust yet user-friendly, compact and cross-platform tool for OpenPGP encryption. It stands out as an exceptional GUI frontend for the modern GnuPG (gpg).
orion - Usable, easy and safe pure-Rust crypto [Moved to: https://github.com/orion-rs/orion]
hat.sh - Encrypt and Decrypt files securely in your browser.
PyNacl - Python binding to the Networking and Cryptography (NaCl) library
serve - Static file serving and directory listing
react-idle-timer - User activity timer component
PrismJS - Lightweight, robust, elegant syntax highlighting.
browserify - browser-side require() the node.js way
securefs - Filesystem in userspace (FUSE) with transparent authenticated encryption
libsodium.js - libsodium compiled to Webassembly and pure JavaScript, with convenient wrappers.