Change argon2 salt length to recommended value (16 bytes) #275
Conversation
|
Given RustCrypto/password-hashes#306, perhaps it would be more apt to use the constant newly-exported constant |
|
I agree it would be cleaner to use that, but the constant is unfortunately only visible when the |
|
As far as I know, the only reason we are using a salt at all, is because it's required. After all, we are using a static salt, so it's security value is zero. So following the recommendation doesn't make straightforward sense to me. Specifically, the minimum amount was used because it's the minimum required. Of course, the issue, as pointed out by @falko17, is compatibility, we all have to somehow agree on the same salt to be compatible with each other. @kevinlewi can this be coordinated by the spec somehow? Maybe go a bit further and specify a static salt for MHFs, instead of using zeroes? |
There was a problem hiding this comment.
I just submitted RustCrypto/password-hashes#307 for us. The RustCrypto team is quite quick with releasing new versions on demand.
Despite my comment before, I think the PR is still fine, we can follow-up afterwards.
|
It's outside the purview of the OPAQUE spec to specify the length of the salt for the key stretching function (argon in this case). Agreed, pending the outcome of that PR, we can follow up afterwards. Thanks for working on this @falko17, this should be good to merge. |
This commit changes the `Ksf` implementation for Argon2 and sets the salt length to 16 bytes, the value recommended in section 3.1 of the Argon2 specification.
falko17
force-pushed
the
change-argon2-salt-length
branch
from
81205a2
to
29c7a54
Compare
|
Thanks for your comments! Should we wait until the changes from RustCrypto/password-hashes#306 and RustCrypto/password-hashes#307 are released in a new crate version so that the constant can be used, or do we want to address this later in a follow-up PR? I'm not sure how long this will take, so perhaps addressing this in a follow-up is the better option here. |
|
Agreed, we can land now. Thanks for contributing! |
This pull request changes the
Ksfimplementation for Argon2 and sets the salt length to 16 bytes (instead of the minimal length of 8 bytes), the value recommended for password hashing in section 3.1 of the Argon2 specification.This also serves to improve interoperability: for example, with this change, it's possible to use
opaque-kein conjunction withlibopaque, since it also uses a 16-byte salt by default.Note that this will make existing registrations (i.e., those made with an 8-byte salt) invalid, since KSF parameters (including salt length) must stay the same across registration and login.