[guardian-dev] CacheWord Key Derivation

[Nathan of Guardian]

On 03/13/2014 10:46 PM, Stephen Lombardo wrote:
> CacheWord seems like a really useful service library, and I've noticed
> that the Guardian Project is strongly advocating it's use, e.g. on the
> recent NoteCipher post, WeChat announcement, and the SQLCipher Mailing
> list.  

As always, it is tricky to manage the chicken-egg aspect of a tool like
this, as we need to get feedback on its use from real developers, while
still caveatting the <1.0 nature of the library and code.

> I do have one concern with the key derivation implementation. From the
> code in PassphraseSecrets.java and Constants.java, CacheWord seems to be
> using only 100 PBKDF2 iterations on the user provided key and a raw key
> with SQLCipher. This seems lower than it should be to support production
> applications using the library on real data, weakening the default
> protections that SQLCipher provides and users have come to expect.

I know the 100 iterations value was a decision made by Abel early on,
though we also wanted it to be configurable. I am hoping he will respond
to this thread shortly, though he is in transit at the moment.

> Since many developers don't really look at low-level security details,
> they might choose to implement CacheWord with SQLCipher without
> understanding that the current builds could reduce the key derivation
> complexity by a factor of up to 640. 

Yes agreed.

> Has there been any thought given to increasing the key derivation
> iterations? It would be great to see something equivalent to the
> SQLCipher default of 64K in the near future. That would make it easier
> to recommend CacheWord without caveats about weakening overall
> solution security.

It seems quit easy to make the option configurable, and then the
developer could tune the user experience, as they wish. Any thoughts on
the performance impact that might have?

Thanks for the detailed feedback.

+n