rspec/rules/S2053/exceptions.adoc

=== Exceptions

To securely store password hashes, it is a recommended to rely on
key derivation functions that are computationally intensive. Examples of such
functions are:

* Argon2
* PBKDF2
* Scrypt
* Bcrypt

When they are used for password storage, using a secure, random salt is
required.

However, those functions can also be used for other purposes such as master key
derivation or password-based pre-shared key generation. In those cases, the
implemented cryptographic protocol might require using a fixed salt to derive
keys in a deterministic way. In such cases, using a fixed salt is safe and
accepted.
Modify rule S2053: Add an exception section for key derivation use case of KDFs (#3700) * Adding an exception section covering key derivation use cases. * Updating recommended salt length to 256 bits as recommended by NIST * Improve title to make it explicit we don't target KDF * Altered some small points --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-03-07 18:20:49 +01:00			`=== Exceptions`

			`To securely store password hashes, it is a recommended to rely on`
			`key derivation functions that are computationally intensive. Examples of such`
			`functions are:`

			`* Argon2`
			`* PBKDF2`
			`* Scrypt`
			`* Bcrypt`

			`When they are used for password storage, using a secure, random salt is`
			`required.`

			`However, those functions can also be used for other purposes such as master key`
			`derivation or password-based pre-shared key generation. In those cases, the`
			`implemented cryptographic protocol might require using a fixed salt to derive`
			`keys in a deterministic way. In such cases, using a fixed salt is safe and`
			`accepted.`