Skip to content

security: increase PBKDF2 iterations from 10,000 to 500,000 in encrypt()#8402

Open
michaelchenchen wants to merge 1 commit intoBitGo:masterfrom
michaelchenchen:security/increase-pbkdf2-iterations
Open

security: increase PBKDF2 iterations from 10,000 to 500,000 in encrypt()#8402
michaelchenchen wants to merge 1 commit intoBitGo:masterfrom
michaelchenchen:security/increase-pbkdf2-iterations

Conversation

@michaelchenchen
Copy link
Copy Markdown

@michaelchenchen michaelchenchen commented Apr 4, 2026

Summary

Increases the PBKDF2-SHA256 iteration count in encrypt() from 10,000 to 500,000 to restore the original ~100 ms hashing time target on modern hardware and align with current OWASP/NIST guidance.

Background

The 10,000 iteration count was set ~2014, when it took ~100 ms on contemporary hardware — matching the OWASP recommendation of the time. Twelve years of CPU improvements have reduced the actual cost to ~10 ms on modern hardware, making offline brute-force attacks on encrypted wallet keychain blobs 10× cheaper than originally intended.

Every encryptedPrv (wallet private key), TSS key share, and GPG signing key stored by BitGoJS clients is encrypted with this function. An attacker who obtains an encryptedPrv blob — e.g. via a device theft, cloud backup leak, or server-side compromise — can try passwords at ~92 guesses/sec/CPU-core at 10k iterations. At 500k that drops to ~1.8 guesses/sec/core.

Changes

  • modules/sdk-api/src/encrypt.ts: Adds exported constant ENCRYPTION_ITERATIONS = 500_000 (previously 10000 hardcoded inline). All sjcl.encrypt() calls now use this constant.
  • modules/sdk-api/test/unit/encrypt.ts: Adds tests asserting:
    • ENCRYPTION_ITERATIONS === 500_000
    • New blobs carry iter: 500000 in their JSON envelope
    • Legacy blobs with iter: 10000 decrypt correctly (backward compat)

Backward Compatibility ✅

The SJCL JSON envelope is self-describing — every ciphertext blob stores its own iter, ks, iv, salt, mode, and cipher fields:

{"iv":"...","v":1,"iter":10000,"ks":256,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"...","ct":"..."}

decrypt() reads iter from the blob at runtime — not from any constant — so all existing ciphertexts encrypted at 10,000 iterations continue to decrypt correctly without any database migration, re-encryption step, or SDK upgrade coordination. Only newly encrypted blobs use the higher count.

Measured Performance

Benchmarked on Apple Silicon VM (AES-256-CCM, 238-byte plaintext, 1000 encrypt + 1000 decrypt at 10k; 20 ops at 600k):

iter encrypt/op decrypt/op brute-force (CPU, 1 core)
10,000 ~10 ms ~8 ms ~92 guesses/sec ← before
500,000 ~540 ms ~400 ms ~1.8 guesses/sec ← after

The extra ~500 ms per wallet unlock is acceptable for a custody platform where key decryption is infrequent and security is paramount. This restores the original design intent of ~100–500 ms hashing time.

Security Rationale

  • OWASP (2025) recommends 600,000 iterations for PBKDF2-SHA256; 500,000 is a pragmatic balance between security and UX latency.
  • NIST SP 800-132 recommends targeting ≥100 ms on the verifying system; 500k exceeds that on server hardware.
  • Quantum defense: Grover's algorithm effectively halves brute-force cost. Higher iteration count provides additional defense-in-depth against quantum-accelerated attacks on weak passphrases.

Testing

All existing encrypt/decrypt tests pass. New tests added and verified.

@michaelchenchen
security: increase PBKDF2 iterations from 10,000 to 500,000 in encrypt()
e66c9bd 
BACKGROUND
----------
The PBKDF2-SHA256 iteration count in BitGoJS's encrypt() function has been
10,000 since the library was written (~2014). That count was chosen to hit
the then-recommended ~100 ms hashing time on contemporary hardware. Twelve
years of CPU improvements have reduced the actual cost to ~10 ms on modern
hardware — 10× below the original target — making offline brute-force attacks
on encrypted wallet keychain blobs significantly cheaper than intended.

WHAT THIS CHANGES
-----------------
modules/sdk-api/src/encrypt.ts
  - Adds exported constant ENCRYPTION_ITERATIONS = 500_000 (was 10,000 inline)
  - All calls to sjcl.encrypt() now use 500,000 PBKDF2-SHA256 iterations

modules/sdk-api/test/unit/encrypt.ts
  - Asserts ENCRYPTION_ITERATIONS === 500_000
  - Asserts new blobs carry iter=500000 in their JSON envelope
  - Adds backward-compatibility test: a blob encrypted at iter=10000 is
    correctly decrypted by the unchanged decrypt() function

BACKWARD COMPATIBILITY
----------------------
The SJCL JSON envelope is self-describing. Every encrypted blob stores its
own iter, ks, iv, salt, mode, and cipher fields:

  { "iv":"...", "v":1, "iter":10000, "ks":256, "ts":64,
    "mode":"ccm", "adata":"", "cipher":"aes", "salt":"...", "ct":"..." }

decrypt() reads iter from the blob at runtime, so existing ciphertexts
encrypted at 10,000 iterations continue to decrypt correctly without any
database migration or re-encryption step. Only newly encrypted blobs use
the higher count.

MEASURED PERFORMANCE (Apple Silicon VM, AES-256-CCM, 238-byte plaintext)
-------------------------------------------------------------------------
  iter     encrypt/op   decrypt/op   brute-force (CPU, 1 core)
  ──────────────────────────────────────────────────────────────
  10,000    ~10 ms       ~8 ms        ~92 guesses/sec   ← before
  500,000   ~540 ms      ~400 ms      ~1.8 guesses/sec  ← after

The extra ~500 ms per wallet unlock is acceptable for a custody platform
where key decryption is infrequent and security is paramount. This also
restores the original design intent of ~100–500 ms hashing time.

SECURITY RATIONALE
------------------
- OWASP (2025) recommends 600,000 iterations for PBKDF2-SHA256; 500,000
  is a pragmatic choice that balances security with UX latency.
- NIST SP 800-132 recommends an iteration count that targets at least 100 ms
  on the verifying system; 500,000 iterations exceeds that on server hardware.
- A quantum attacker using Grover's algorithm effectively halves the brute-force
  cost, making the higher iteration count doubly important as a defense-in-depth
  measure against future quantum-accelerated attacks on weak passphrases.

Resolves: internal security audit finding (April 2026)
Reviewed-by: Michael Chen <michaelchen@belshe.com>
@michaelchenchen michaelchenchen requested review from a team as code owners April 4, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pranavjain97 pranavjain97 Awaiting requested review from pranavjain97 pranavjain97 is a code owner automatically assigned from BitGo/wallet-core

@lokesh-bitgo lokesh-bitgo Awaiting requested review from lokesh-bitgo lokesh-bitgo is a code owner automatically assigned from BitGo/wallet-core-india

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaelchenchen