Hi, On 01/15/2014 06:40 PM, Garrett Robinson wrote: > On 01/15/2014 08:33 AM, Kurt Roeckx wrote: >> On 2013-12-17 16:02, Stéphanie Ouillon wrote: >> >> I'm confused what passwords have to do with hashes. Do you want >> to store hash(pass)? This is a bad idea, please use something >> that is designed to store passwords instead like bcrypt, scrypt >> or PBKDF2. > > Excellent point. (I assumed they wanted access to the underlying > hash functions so they could build PBKDF2 or similar). PBKDF2 is > implemented in CryptoUtils.js [0], along with some other > convenience functions. I don't think this is exposed as the kind of > API OP is looking for, but perhaps it could be. > > [0] > http://dxr.mozilla.org/mozilla-central/source/services/crypto/modules/utils.js > > Another option would be to use JS implementations of password > hashing functions (or Emscripten-compiled native versions of the > same, which should get near-native performance, especially > important for slow hash functions). For example: > > * https://github.com/tonyg/js-scrypt (Emscripten-compiled) * > https://code.google.com/p/crypto-js/ (includes PBKDF2)
I'm not sure why the people who worked before me on this started to think about hashing. From my understanding, the point was to hash the password, and compare hashes when unlocking the screen. So there was no encryption involved. There might be a performance concern or maybe the crypto stuff in FxOS wasn't mature enough at the time, I don't really know. Christiane Ruetten recently released a FxOS Crypto Concept draft [1]. Using the CryptoUtils module and PBKDF2 would make absolute sense. For that, the functions still need to be exposed as a web API. According the architecture taking place in FxOS, I guess this API would be part of the Crypto Worker (which has nothing to do with WebCrypto's WorkerCrypto). [1] https://docs.google.com/a/mozilla.com/document/d/13dnmH4OsJc0ItMa0Z21VJcYJBK6kIb1om4B-DJk7N2E/edit# -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
