Skip to content

fix: Replace SHA-256 key derivation with PBKDF2#6237

Merged
JhaSourav07 merged 3 commits into
JhaSourav07:mainfrom
Abfa41:fix/crypto-pbkdf2-key-derivation
Jun 21, 2026
Merged

fix: Replace SHA-256 key derivation with PBKDF2#6237
JhaSourav07 merged 3 commits into
JhaSourav07:mainfrom
Abfa41:fix/crypto-pbkdf2-key-derivation

Conversation

@Abfa41

@Abfa41 Abfa41 commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Fixes #6201

This PR replaces the existing single-iteration SHA-256 key derivation with PBKDF2 to improve the security of encryption key generation.

Changes made:

  • Replaced crypto.createHash('sha256') with crypto.pbkdf2Sync.
  • Added a random 16-byte salt for each encryption operation.
  • Stored the generated salt alongside the encrypted payload.
  • Updated decryption logic to extract and reuse the stored salt.
  • Configured PBKDF2 with 100,000 iterations and SHA-512.
  • Continued deriving a 32-byte key for AES-256-GCM compatibility.
  • Updated crypto tests to validate the new salted encrypted payload structure and expected segment count.

Security improvements:

  • Introduces a computational work factor against brute-force attacks.
  • Prevents identical passwords from generating identical encryption keys.
  • Aligns key derivation with modern cryptographic best practices.
  • Reduces risks associated with low-entropy passwords or secrets.

Pillar

  • 🎨 Pillar 1 — New Theme Design
  • 📐 Pillar 2 — Geometric SVG Improvement
  • 🕐 Pillar 3 — Timezone Logic Optimization
  • 🛠️ Other (Security improvement)

Checklist before requesting a review:

  • I have read the CONTRIBUTING.md file.
  • I have tested these changes locally.
  • I have run npm run format and npm run lint locally and resolved all errors.
  • My commits follow the Conventional Commits format.
  • I have updated documentation if required.
  • I have started the repo.
  • I have made sure that I have only one commit to merge in this PR.

@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

@Abfa41 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added the status:blocked This PR is blocked due to a failing CI check. label Jun 21, 2026
@github-actions github-actions Bot removed the status:blocked This PR is blocked due to a failing CI check. label Jun 21, 2026
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category PR Size Base Size Difference
Total JS 3697.00 KB 3697.00 KB 0 B
Total CSS 296.58 KB 296.58 KB 0 B

@Aamod-Dev Aamod-Dev added GSSoC 2026 mentor:Aamod007 level:advanced Complex contributions involving architecture, optimization, or significant feature work quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security refactor labels Jun 21, 2026
Aamod-Dev
Aamod-Dev approved these changes Jun 21, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replacing the single-iteration SHA-256 hashing with crypto.pbkdf2Sync and a random salt in lib/crypto.ts significantly hardens our encryption against brute-force attacks. Updating the tests in lib/crypto.empty-fallback.test.ts to expect the 4-part payload (salt included) ensures the new structure is correctly verified. Great security improvement! Approved!

@JhaSourav07 JhaSourav07 added the gssoc:approved PR has been reviewed and accepted for valid contribution points label Jun 21, 2026
@JhaSourav07 JhaSourav07 merged commit 29e6d05 into JhaSourav07:main Jun 21, 2026
12 of 13 checks passed
@github-actions github-actions Bot added this to the GSSoC 2026 milestone Jun 21, 2026
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

🎉 Congratulations @Abfa41! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨

@Abfa41 Abfa41 deleted the fix/crypto-pbkdf2-key-derivation branch June 21, 2026 18:50
@github-actions github-actions Bot added the type:bug Something isn't working as expected label Jun 21, 2026
@Abfa41

Abfa41 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor Author

@Aamod-Dev, please look into type labels. It should be 'type:refactor' and 'type:security' labels, not 'refactor' and 'security'. kindly change it. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aamod-Dev Aamod-Dev Aamod-Dev approved these changes

Assignees

No one assigned

Labels

gssoc:approved PR has been reviewed and accepted for valid contribution points GSSoC 2026 level:advanced Complex contributions involving architecture, optimization, or significant feature work mentor:Aamod007 quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. refactor security type:bug Something isn't working as expected

Projects

None yet

Milestone

GSSoC 2026

Development

Successfully merging this pull request may close these issues.

fix(crypto): SHA-256 KDF with single iteration is weak (HIGH)

3 participants

@Abfa41 @Aamod-Dev @JhaSourav07