Any plans to RFC document? #271
Comments
|
We the authors are pinging the CFRG chairs for quite some time already but
there is no reaction yet. I have written another mail today.
Dmitry
…On Wed, 29 May 2019, 09:14 Milan Broz, ***@***.***> wrote:
Hi,
I know that this is not a code issue, but I think it would be better to
track it here anyway.
The RFC draft for Argon2 just expired again, apparently without any action
from CFRG https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/.
Is there anyone (authors, maintainers) who actually plan to push this RFC
or it is finally abandoned?
We use Argon2 in LUKS2 disk encryption, and absence of any "normative"
document basically ends any discussions with corporate security people.
Also, the absence of such a document means that we are forced to bundle
implementation (instead of including it in common cryptography libraries),
and that is not a good practice anyway.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#271?email_source=notifications&email_token=AA767MUKGN7GCLDIOWWXODTPXYUN5A5CNFSM4HQJYA3KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GWM5DDQ>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA767MUIRGQJDYBJVQLUQGTPXYUN5ANCNFSM4HQJYA3A>
.
|
|
Thanks! |
|
Some update: we have reached almost the last step, but the IRTF chair asked if the reference code in the RFC draft can be made compilable. It can not so we are now thinking how to reflect this in the doc while minimizing changes to the draft. |
|
Thanks for the info! It is interesting request. I would personally prefer code readability to copy&paste version (and reference to full-blown implementation in some public SCM). Also it seems to me much more important that RFC contains usable test vectors, so I can easily test deployed code for trivial mistakes. |
|
Hi, I think that discussion related to merging Argon2 to OpenSSL code (see openssl/openssl#9444) is very near to some consensus. Acoording to some discussions I see the main blocker now becomes the unfinished RFC document. |
|
Will work on that in the next days
…On Fri, Feb 7, 2020 at 12:59 PM Milan Broz ***@***.***> wrote:
Hi, I think that discussion related to merging Argon2 to OpenSSL code (see
openssl/openssl#9444 <openssl/openssl#9444>) is
very near to some consensus. Acoording to some discussions I see the main
blocker now becomes the unfinished RFC document.
It seems that there are only some small changes requested now by IRSG (
https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/history/), is
there any chance that it becomes formal standard in next few weeks?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#271?email_source=notifications&email_token=AA767MVSCRARRJC72VOJYHLRBVEIRA5CNFSM4HQJYA3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELCWCUI#issuecomment-583360849>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA767MTPRCVUQTXWN2JS56DRBVEIRANCNFSM4HQJYA3A>
.
--
Best regards,
Dmitry Khovratovich
|
|
In the issue mentioned above we are discussing the recommended default version. The specs.pdf on this repo recommends Argon2i, and it's the default CLI version, but the draft recommends Argon2id, which one is a sensible, recommended default? |
To best protect against weak operations in "i" (if using only a few iterations), and side-channel attacks possible with "d", mine would be "id", full stop, with at least 20 iterations regardless of the other parameters. Tuning would be needed per application, and heavy use of the "AD" and "Secret" inputs is also a smart move to introduce more information an attacker has to consider, and to isolate systems from attacks against other systems that use only the "recommended/OOTB" defaults of whatever standard is adopted in the RFC. Unfortunately, and all too often, implementers of hashing standards like these abuse the salt by not making it random (such as by deriving it from the username when hashing passwords) or long enough, so having system/user/purpose specific parameters fed into the AD and Secret go a long way to protecting the system as a whole. |
|
@SparkDustJoe thanks for the long explanation, but my question is much simpler: as a library developer, what should I use as defaults, when the user just wants to run |
Yikes... I would hope in your output that the Salt is somehow included with a matching I would still stick to about 15 iterations in "id", and tune the memory and parallelism so that you're sticking to under 2s processing time (no less than 200ms for safety). Consider your machine may not be typical and test on older hardware if you have it. |
Hi, I'm confused, in your first reply you recommend for "at least 20 iterations", now you recommend "about 15 iterations" while the latest draft for argon2id clearly recommends 1 iteration, if I understand this section correct?: Can anyone clarify which setting for the iteration count t is recommended and why? I must admit that I would wish for clearer recommendations for end users. I appreciate all the hard work going into this and I know it's not easy to recommend sensible and sane defaults, but maybe someone can make this more clear for mere mortals like me? |
|
For t>2 the security level scales linearly with t. That's why our advice is
to select the maximum possible t "depending on your hardware". Mere
recommending certain t like 2 or 20 will result in too low security on fast
servers or too low performance on slow servers.
…On Fri, Apr 17, 2020 at 10:25 AM Sven Kieske ***@***.***> wrote:
the user just wants to run hash(password) and forget about the details
Yikes... I would hope in your output that the Salt is somehow included
with a matching verify(password) that expects to find it and actually
uses it. Without that, it's still inviting disaster.
I would still stick to about 15 iterations in "id", and tune the memory
and parallelism so that you're sticking to under 2s processing time (no
less than 200ms for safety). Consider your machine may not be typical and
test on older hardware if you have it.
Hi,
I'm confused, in your first reply you recommend for "at least 20
iterations", now you recommend "about 15 iterations" while the latest draft
for argon2id clearly recommends 1 iteration, if I understand this section
correct?:
https://tools.ietf.org/html/draft-irtf-cfrg-argon2-10#section-8.4
Can anyone clarify which setting for the iteration count t is recommended
and why?
I must admit that I would wish for clearer recommendations for end users.
I'm currently having a hard time advising my dev team, regarding this.
Currently for most parameters it says: test for yourself on your hardware.
I appreciate all the hard work going into this and I know it's not easy to
recommend sensible and sane defaults, but maybe someone can make this more
clear for mere mortals like me?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#271 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA767MR455P3FEFUQRVOXD3RNAG7DANCNFSM4HQJYA3A>
.
--
Best regards,
Dmitry Khovratovich
|
I don't want to hijack this thread, but I'm very sorry.
Will this section be updated then? It clearly recommends t=1 and "maximum available memory" I find this information very misleading and contradicting to what you said and what is noted here:
Also this mixes up the variable names, across the document time is always displayed as "t", only here as "x"? I'm a little worried about the current state of this. Would it not be reasonable to suggest higher defaults for concrete hardware or cloud instances? Thanks for your answers so far! |
ghost
mentioned this issue
|
I agree there is confusion. Actually what remains to do in the RFC draft is
to provide explicit recommendations for defaults. We will fix this ASAP
On Fri, Apr 17, 2020 at 2:12 PM Sven Kieske <notifications@github.com>
wrote:
… For t>2 the security level scales linearly with t. That's why our advice
is to select the maximum possible t "depending on your hardware". Mere
recommending certain t like 2 or 20 will result in too low security on fast
servers or too low performance on slow servers.
… <#m_9141632980651683959_>
On Fri, Apr 17, 2020 at 10:25 AM Sven Kieske *@*.***> wrote: the user
just wants to run hash(password) and forget about the details Yikes... I
would hope in your output that the Salt is somehow included with a matching
verify(password) that expects to find it and actually uses it. Without
that, it's still inviting disaster. I would still stick to about 15
iterations in "id", and tune the memory and parallelism so that you're
sticking to under 2s processing time (no less than 200ms for safety).
Consider your machine may not be typical and test on older hardware if you
have it. Hi, I'm confused, in your first reply you recommend for "at least
20 iterations", now you recommend "about 15 iterations" while the latest
draft for argon2id clearly recommends 1 iteration, if I understand this
section correct?:
https://tools.ietf.org/html/draft-irtf-cfrg-argon2-10#section-8.4 Can
anyone clarify which setting for the iteration count t is recommended and
why? I must admit that I would wish for clearer recommendations for end
users. I'm currently having a hard time advising my dev team, regarding
this. Currently for most parameters it says: test for yourself on your
hardware. I appreciate all the hard work going into this and I know it's
not easy to recommend sensible and sane defaults, but maybe someone can
make this more clear for mere mortals like me? — You are receiving this
because you commented. Reply to this email directly, view it on GitHub <#271
(comment)
<#271 (comment)>>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AA767MR455P3FEFUQRVOXD3RNAG7DANCNFSM4HQJYA3A
.
-- Best regards, Dmitry Khovratovich
I don't want to hijack this thread, but I'm very sorry.
I find this statement very confusing in context to your recommendation?
8.4. Recommendations
The Argon2id variant with t=1 and maximum available memory is
RECOMMENDED as a default setting for all environments. This setting
is secure against side-channel attacks and maximizes adversarial
costs on dedicated bruteforce hardware.
Will this section be updated then?
https://tools.ietf.org/html/draft-irtf-cfrg-argon2-10#section-8.4
It clearly recommends t=1 and "maximum available memory"
I find this information very misleading and contradicting to what you said
and what is noted here:
https://tools.ietf.org/html/draft-irtf-cfrg-argon2-10#section-4
1. Figure out the maximum amount x of time (in seconds) that each call
can afford.
Also this mixes up the variable names, across the document time is always
displayed as "t", only here as "x"?
I'm a little worried about the current state of this.
Because I guess many developers will just go by the defaults implemented
by whichever library
they use.
e.g. the nodejs argon2 lib has currently the default "t" at "3" and not
higher.
Would it not be reasonable to suggest higher defaults for concrete
hardware or cloud instances?
I know this is quite some additional work.
Thanks for your answers so far!
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#271 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA767MSPBZBQQKEFUR5VDQTRNBBRBANCNFSM4HQJYA3A>
.
--
Best regards,
Dmitry Khovratovich
|
And this happens because those are the defaults for the CLI tool. It is insecure as most machines could achieve >100 hashes/second and ideally it should take much longer than that. |
We are still waiting |
|
I see #243 is still open as well. I haven't combed through the literature, but was this issue mitigated in recent revisions? If so does that warrant closing that ticket? |
|
Will be fixed this week
…On Wed, Mar 10, 2021 at 6:29 PM Dustin ***@***.***> wrote:
I see #243 <#243> is
still open as well. I haven't combed through the literature, but was this
issue mitigated in recent revisions? If so does that warrant closing that
ticket?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#271 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA767MVP5U624OQ43KEDJCDTC6M5XANCNFSM4HQJYA3A>
.
--
Best regards,
Dmitry Khovratovich
|
|
RFC is released (finally) Thanks @khovratovich and everyone involved! :) |
|
Great job! On to updating the libraries with the latest recommendations :) |
|
Shouldn't this issue be closed then? |
Hi,
I know that this is not a code issue, but I think it would be better to track it here anyway.
The RFC draft for Argon2 just expired again, apparently without any action from CFRG https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/.
Is there anyone (authors, maintainers) who actually plan to push this RFC or it is finally abandoned?
We use Argon2 in LUKS2 disk encryption, and absence of any "normative" document basically ends any discussions with corporate security people. Also, the absence of such a document means that we are forced to bundle implementation (instead of including it in common cryptography libraries), and that is not a good practice anyway.
The text was updated successfully, but these errors were encountered: