You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While the core of Portable Secret uses the W3C Web Cryptography APIs (which is great!), the specific choices of cryptography parameters matter and can drastically affect the security of the implementation. These should be called out in the README.md so they can be more easily assessed by those with enough knowledge of cryptography primitives.
Specifically, this is what I found in the source:
The secret is encrypted using a derived key, not directly with the password.
This key is 32 bytes long and derived from the password using PBKDF2 with 1,000,000 (1 million) iterations.
A 16 byte salt is used.
The derived key is configured to be non-extractable.
The derived key is used for AES-GCM.
AES and the IV use a block size of 16 bytes.
The text was updated successfully, but these errors were encountered:
While the core of Portable Secret uses the W3C Web Cryptography APIs (which is great!), the specific choices of cryptography parameters matter and can drastically affect the security of the implementation. These should be called out in the README.md so they can be more easily assessed by those with enough knowledge of cryptography primitives.
Specifically, this is what I found in the source:
The text was updated successfully, but these errors were encountered: