2 files changed, 5 insertions, 2 deletions

diff --git a/base/crypto/symmetric_key_mac.cc b/base/crypto/symmetric_key_mac.cc
index ba033a7..19c330d 100644
--- a/base/crypto/symmetric_key_mac.cc
+++ b/base/crypto/symmetric_key_mac.cc
@@ -23,8 +23,11 @@ CSSM_KEY_TYPE CheckKeyParams(base::SymmetricKey::Algorithm algorithm,
         << "Invalid key size " << key_size_in_bits << " bits";
     return CSSM_ALGID_AES;
   } else {
+    // FIPS 198 Section 3 requires a HMAC-SHA-1 derived keys to be at least
+    // (HMAC-SHA-1 output size / 2) to be compliant. Since the ouput size of
+    // HMAC-SHA-1 is 160 bits, we require at least 80 bits here.
     CHECK(algorithm == base::SymmetricKey::HMAC_SHA1);
-    CHECK(key_size_in_bits >= 64 && (key_size_in_bits % 8) == 0)
+    CHECK(key_size_in_bits >= 80 && (key_size_in_bits % 8) == 0)
         << "Invalid key size " << key_size_in_bits << " bits";
     return CSSM_ALGID_SHA1HMAC_LEGACY;
   }
diff --git a/chrome/browser/sync/util/nigori.h b/chrome/browser/sync/util/nigori.h
index b7d037b..ad57ad7 100644
--- a/chrome/browser/sync/util/nigori.h
+++ b/chrome/browser/sync/util/nigori.h
@@ -50,7 +50,7 @@ class Nigori {
   bool Decrypt(const std::string& value, std::string* decrypted);
 
   static const char kSaltSalt[];  // The salt used to derive the user salt.
-  static const size_t kSaltKeySizeInBits = 64;
+  static const size_t kSaltKeySizeInBits = 128;
   static const size_t kDerivedKeySizeInBits = 128;
   static const size_t kIvSize = 16;
   static const size_t kHashSize = 32;