From 87badb090ff941c5359b4017705f67976e8c3ca2 Mon Sep 17 00:00:00 2001 From: Ethan Buchman Date: Fri, 27 Oct 2017 21:58:02 -0400 Subject: [PATCH] Revert "Parameterize and lower bcrypt cost" This reverts commit dfc4cdd2d71513e4a9922d679c74f36357c4c862. --- keys/cryptostore/encoder.go | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/keys/cryptostore/encoder.go b/keys/cryptostore/encoder.go index 99241f1b7..31f49c3f7 100644 --- a/keys/cryptostore/encoder.go +++ b/keys/cryptostore/encoder.go @@ -7,20 +7,6 @@ import ( "github.com/tendermint/go-crypto/bcrypt" ) -const ( - // BcryptCost is as parameter to increase the resistance of the - // encoded keys to brute force password guessing - // - // Jae: 14 is good today (2016) - // - // Ethan: loading the key (at each signing) takes a second on my desktop, - // this is hard for laptops and deadly for mobile. You can raise it again, - // but for now, I will make this usable - // - // TODO: review value - BCryptCost = 12 -) - var ( // SecretBox uses the algorithm from NaCL to store secrets securely SecretBox Encoder = secretbox{} @@ -44,7 +30,7 @@ func (e secretbox) Encrypt(privKey crypto.PrivKey, passphrase string) (saltBytes } saltBytes = crypto.CRandBytes(16) - key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost) + key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), 14) // TODO parameterize. 14 is good today (2016) if err != nil { return nil, nil, errors.Wrap(err, "Couldn't generate bcrypt key from passphrase.") } @@ -58,7 +44,7 @@ func (e secretbox) Decrypt(saltBytes []byte, encBytes []byte, passphrase string) // NOTE: Some keys weren't encrypted with a passphrase and hence we have the conditional if passphrase != "" { var key []byte - key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost) + key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), 14) // TODO parameterize. 14 is good today (2016) if err != nil { return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase") }