39 return nil, err
40 }
41
42 clearKey := pbkdf2.Key([]byte(passphrase), []byte(salt), 4096, 32, sha1.New)43 key, err := aes.NewCipher(clearKey)
44 if err != nil {
45 return nil, err
68 return nil, fmt.Errorf("invalid cipher text, not : delimited")
69 }
70
71 clearKey := pbkdf2.Key([]byte(passphrase), []byte(parts[0]), 4096, 32, sha1.New)72 key, err := aes.NewCipher(clearKey)
73 if err != nil {
74 return nil, err
Using a more significant amount of iterations significantly increases the compute required to brute-force the passwords from the keys. OWASP recommends using more than 310,000 iterations for PBKDF2. But do note that there's a trade-off, a higher iteration count will increase the cost of an exhaustive search and make derivation proportionally slower.
package main
import (
"crypto/sha256"
"golang.org/x/crypto/pbkdf2"
)
func main() {
pbkdf2.Key([]byte("pass"), []byte("salt"), 10000, 64, sha256.New) // using less than 310,000 iterations
}
package main
import (
"crypto/sha256"
"golang.org/x/crypto/pbkdf2"
)
func main() {
pbkdf2.Key([]byte("pass"), []byte("salt"), 310000, 64, sha256.New)
}