fix(security): 2 improvements across 2 files#854
Conversation
- Security: Weak cryptographic parameters for vault/client-side encryption - Security: Potential storage of vault password in browser localStorage Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Weak cryptographic parameters for vault/client-side encryption - Security: Potential storage of vault password in browser localStorage Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
binsky08
left a comment
binsky08
left a comment
There was a problem hiding this comment.
Can't merge this at all. The first (encryption related) issue is real but needs further investigation. The second addressed issue is not an issue in my eyes.
There was a problem hiding this comment.
Thanks for the hint.
I'll keep an eye on this. Just changing the numbers here would most likely break the app right now. Not the encryption itself, but the app logic. I'll figure out how the other project depending apps and libs are handling this right now before touching anything here.
There was a problem hiding this comment.
Well, setting a default vault with optional auto login is a "feature" and requires the vault password to be stored in defaultVaultPass. Not sure who would use that, but it's basically intended behaviour.
I am sure your changes here would break that.
So please explain the reason for the changes here, or remove them.
2 participants
Summary
fix(security): 2 improvements across 2 files
Problem
Severity:
High| File:js/app/services/encryptservice.js:L31The encryption configuration uses PBKDF iterations set to 1000 and an authentication tag size (
ts) of 64 bits for SJCL CCM mode. For a password manager context, these settings are weak by modern standards and reduce resistance against brute-force and forgery attempts.Solution
Increase KDF work factor substantially (e.g., PBKDF2 >= 100k+ iterations or migrate to Argon2/scrypt if possible), and use a 128-bit authentication tag. Re-evaluate all crypto defaults against current best practices and threat model.
Changes
js/app/services/encryptservice.js(modified)js/app/services/settingsservice.js(modified)