-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change argon2 salt length to recommended value (16 bytes) #275
Change argon2 salt length to recommended value (16 bytes) #275
Conversation
Given RustCrypto/password-hashes#306, perhaps it would be more apt to use the constant newly-exported constant |
I agree it would be cleaner to use that, but the constant is unfortunately only visible when the |
As far as I know, the only reason we are using a salt at all, is because it's required. After all, we are using a static salt, so it's security value is zero. So following the recommendation doesn't make straightforward sense to me. Specifically, the minimum amount was used because it's the minimum required. Of course, the issue, as pointed out by @falko17, is compatibility, we all have to somehow agree on the same salt to be compatible with each other. @kevinlewi can this be coordinated by the spec somehow? Maybe go a bit further and specify a static salt for MHFs, instead of using zeroes? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just submitted RustCrypto/password-hashes#307 for us. The RustCrypto team is quite quick with releasing new versions on demand.
Despite my comment before, I think the PR is still fine, we can follow-up afterwards.
It's outside the purview of the OPAQUE spec to specify the length of the salt for the key stretching function (argon in this case). Agreed, pending the outcome of that PR, we can follow up afterwards. Thanks for working on this @falko17, this should be good to merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just need to add feature-gating for argon2
This commit changes the `Ksf` implementation for Argon2 and sets the salt length to 16 bytes, the value recommended in section 3.1 of the Argon2 specification.
81205a2
to
29c7a54
Compare
Thanks for your comments! Should we wait until the changes from RustCrypto/password-hashes#306 and RustCrypto/password-hashes#307 are released in a new crate version so that the constant can be used, or do we want to address this later in a follow-up PR? I'm not sure how long this will take, so perhaps addressing this in a follow-up is the better option here. |
Agreed, we can land now. Thanks for contributing! |
This pull request changes the
Ksf
implementation for Argon2 and sets the salt length to 16 bytes (instead of the minimal length of 8 bytes), the value recommended for password hashing in section 3.1 of the Argon2 specification.This also serves to improve interoperability: for example, with this change, it's possible to use
opaque-ke
in conjunction withlibopaque
, since it also uses a 16-byte salt by default.Note that this will make existing registrations (i.e., those made with an 8-byte salt) invalid, since KSF parameters (including salt length) must stay the same across registration and login.