It's interesting idea about using PBKDF2 .
I miss this variant.
But given BlackBerry vulnerability and others similar issues how to do it right ?!
Which implementation of PBKDF2 is the best in your opinion ?
Is encfs doing it right way ?
Implementing PBKDF2 isn't hard, you just have to pick good parameters. There are three:
- Hash function
- Salt
- Iteration count
Example -- WiFi WPA/WPA2 PSK uses SHA1, 4096 iterations, salted with the SSID.
Example -- TrueCrypt uses RIPEMD160 (or others), 1000 or 2000 iterations, and a large random salt.
Example -- Linux LUKS uses SHA1 (or others), a varying number of iterations based on CPU power (>100000), and a large random salt.
BlackBerry screwed up by choosing only a single iteration, making their keys vulnerable to brute forcing.
For this application, since you want the password to convert directly to the private key without any other stored parameters, your options are more limited. Salting will offer little added security because you'll have to choose an empty salt or a constant salt. However, you can opt for a huge number of iterations, and it would be quite secure.
