Boxcryptor uses various CSPRNGs
and apparently hashes the output using PBKDF2
to derive the final key. Even though the choice of PBKDF2
is probably not semantically correct (PBKDF2
is intended for passwords), I wonder if this iterative hardening actually makes sense.
Let's suppose the CSPRNG
is backdoored/buggy/broken/etc (we have already seen that in the past), and for 128-bit output, you just get let's say 64 bits of entropy (the rest is supposedly predictable by an adversary). So the adversary has to work 264, which he can brute-force. But now the app does:
key = PBKDF2(csprng_output, salt, 1000000)
Not sure where the salt comes from (since they don't trust the CSPRNG
, I guess it's fixed??), but does this make sense? Adversary still has to guess 264 obviously, but each guess takes a lot of work. After all, that's exactly why we use PBKDF2
on passwords to be secure despite their low entropy.
CryptGenRandom
or whatever I use, there is a good chance that all that data will come from the same seed of the system PRG. $\endgroup$