58597139fa
## Description Closes: #9404 --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [x] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [x] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [x] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [x] reviewed "Files changed" and left comments if necessary - [x] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable)
2.2 KiB
Security parameter choice
The present Bcrypt security parameter used is 12, which should take about a quarter of a second on midrange consumer hardware (see Benchmarking section below).
For some background into security parameter considerations, see here and here.
Given our security model, where an attacker would need to already have access to a victim's computer and copy the ~/.gaiacli directory (as opposed to e.g. web authentication), this parameter choice seems sufficient for the time being. Bcrypt always generates a 448-bit key, so the security in practice is determined by the length & complexity of a user's password and the time taken to generate a Bcrypt key from their password (which we can choose with the security parameter). Users would be well-advised to use difficult-to-guess passwords.
Benchmarking
To run Bcrypt benchmarks:
go test -v --bench github.com/cosmos/cosmos-sdk/crypto/keys/mintkey
On the test machine (midrange ThinkPad; i7 6600U), this results in:
goos: linux
goarch: amd64
pkg: github.com/cosmos/cosmos-sdk/crypto/keys/mintkey
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-9-4 50 34609268 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-10-4 20 67874471 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-11-4 10 135515404 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-12-4 5 274824600 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-13-4 2 547012903 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-14-4 1 1083685904 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-15-4 1 2183674041 ns/op
PASS
ok github.com/cosmos/cosmos-sdk/crypto/keys/mintkey 12.093s
Benchmark results are in nanoseconds, so security parameter 12 takes about a quarter of a second to generate the Bcrypt key, security param 13 takes half a second, and so on.