@bascule how can one actually use scrypt and rbnacl to verify if a entered password is correct?
@Asmod4n if you just want to validate the password, you can check it derived the same secret
-
-
@bascule yeah, which means storing the secret unencrypted, which is like storing the password unencrypted :< -
@Asmod4n the work scrypt does is hard to reverse/brute-force -
@bascule so its ok to store the secret_key unencrypted for a RbNaCl::SimpleBox? oO -
@Asmod4n if you're actually using scrypt as a KDF but want to know you have the right key, you could hash the derived key and check that -
@bascule Oh, yes! That should also be good against timing attacks :) -
@Asmod4n I'm doing something similar in https://github.com/cryptosphere/confusion … but using PBKDF2 so I have JRuby support -
@bascule looked through it, private keys as url params :? -
@Asmod4n yeah, the goal is to represent as much as possible as URIs - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.