Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bcrypt cost adjustment #670

Merged
merged 1 commit into from
Mar 30, 2023
Merged

chore: bcrypt cost adjustment #670

merged 1 commit into from
Mar 30, 2023

Conversation

peter7891
Copy link
Contributor

In this PR, we reduce the bcrypt cost from 12 to 11.
@zivkovicmilos expressed concerns that CreateAccount was too slow.
It seems like this is safe to do. As far as i understand this refers to local storage.

@peter7891 peter7891 requested a review from a team as a code owner March 28, 2023 22:35
@moul
Copy link
Member

moul commented Mar 29, 2023

What's the impact on performance?

@moul
Copy link
Member

moul commented Mar 29, 2023

Do bcrypt's security measures have relevance to this situation? I'm more concerned about the potential risks of a weak PRNG than demonstrating proof of effort/work here.

@peter7891
Copy link
Contributor Author

@moul

Benchmarks with 12 cost

BenchmarkCreateAccount-8               4         257309375 ns/op
PASS
ok      github.com/gnolang/gno/pkgs/crypto/keys 10.182s

Benchmarks with 11 cost

BenchmarkCreateAccount-8               8         128997650 ns/op
PASS
ok      github.com/gnolang/gno/pkgs/crypto/keys 5.287s

moul
moul approved these changes Mar 29, 2023
View reviewed changes
Copy link
Member

@moul moul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I support merging this issue as it is both redundant and disruptive to development.

I suggest that we open an issue to further discuss the security concerns. We should consider using a single round of bcrypt or switching to a simpler hashing function for this particular case. If that is not feasible, then let's determine the best default values and add comments to explain our decisions.

@moul moul changed the title bcrypt cost adjustment chore: bcrypt cost adjustment Mar 29, 2023
@peter7891 peter7891 merged commit e0c50ec into master Mar 30, 2023
@peter7891 peter7891 deleted the bcrypt branch March 30, 2023 12:24
@moul moul mentioned this pull request Mar 30, 2023
Open
@grepsuzette grepsuzette mentioned this pull request Mar 31, 2023
Closed
grepsuzette added a commit to grepsuzette/gno that referenced this pull request Apr 1, 2023
@grepsuzette
fix: revert gnolang#670 (bcrypt cost) to fix gnolang#680
0e6d895 
This reverts e0c50ec (gnolang#670)
It breaks decoding of existing accounts.
For instance if you addpkg, it gives:

Enter password.
ciphertext decryption failed

Changing bcryptSecurityParameter = 12 (from 11) makes it work again.

Better change until we find a better solution.
@grepsuzette grepsuzette mentioned this pull request Apr 1, 2023
Merged
moul-bot pushed a commit to moul/gno that referenced this pull request Apr 1, 2023
@moul
Revert "chore: bcrypt cost adjustment (gnolang#670)"
9d997f6 
This reverts commit e0c50ec.
moul pushed a commit that referenced this pull request Apr 1, 2023
@grepsuzette
fix: revert #670 (bcrypt cost) to fix #680 (#684)
2b7642b 
Co-authored-by: grepsuzette <grepsuzette@users.noreply.github.com>
@zivkovicmilos zivkovicmilos mentioned this pull request Jun 16, 2023
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moul moul moul approved these changes

@zivkovicmilos zivkovicmilos zivkovicmilos approved these changes

Assignees

@peter7891 peter7891

Labels
None yet
Projects
🚀 The Launch
Status: No status
🧐 Review Meeting
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@peter7891 @moul @zivkovicmilos