Memory Hard Key Derivation Functions in the Web Crypto API

Hi all,

I am new here! My background is not specifically the web, but
cryptography and security, and I've been conducting security audits
with Least Authority in the past few years.

I am going to comment on the Web Crypto API. My understanding is that
this is the right place to do that, since the working group disbanded.
If that is not the case, I am sorry and curious where I should head
instead. I searched both the archives of the old mailing list as well
as this one for previous discussions on the topic but couldn't find

I am writing because several projects we have reviewed used PBKDF2
from the Web Crypto API to derive key material from a password. We
have consistently flagged this, because the function is purely
CPU-bound and can be sped up using FPGAs or custom hardware. This is
not a new finding. The scrypt algorithm was an attempt to mitigate
this and first published in 2009 and Argon2 won the Password Hashing
Competition in 2015. Currently, we recommend to projects in the web
space (often extensions) to use an Argon2 WASM module to do the

I think it is curious that what I and others I talk to consider the
best practice password hashing algorithm has no support in the Web
Crypto API. Have there been discussions about adding it internally? Or
is the entire API on its way towards deprecation, now that WASM allows
relatively fast execution of crypto code?

I'm looking forward to your responses!


Jan Winkelmann
Security Researcher & Engineer
Least Authority TFA GmbH

Received on Thursday, 4 November 2021 13:01:55 UTC