-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/argon2: expose all variants #23602
Comments
While I agree in general that
|
Please export all of them. Don't assume. Let the world use all of your work! |
Can you name one?
As mentioned already
Well, they support Argon2d (v1.0 - v1.3). So I guess that they simply took |
I already did. I named an entire class of scenarios.
Advantages just explained above.
Of course I generally agree to avoid exposing dangerous primitives, but
I don't know if |
TL;DR: I leave that here for @agl to decide. If it get's approval - ping me if I should send a CL.
I agree on that since for the first half of the memory (of the first pass) the low-storage attack can be applied. However the best attack on
Well, that's the general problem I'm concerned about here. Every primitive (if not broken) is not dangerous if it is used correctly. The same applies here for
Just to defend myself on that:
So in that sense I do not agree that the API is "mis-usable" right know but I do agree that exporting
FWIW That wouldn't be possible. As mentioned the Argon2 spec only named |
I guess Proposal and NeedsDecision labels ?! |
Exposing The idea that everything should be supported and we should let the developers decide is explicitly not what x/crypto aims for. We have also never exposed a "safe but slower" and "unsafe against timing side-channels but faster" pair of functions like this. (We have plenty of problems with primitives that should be side-channel free that aren't, but that's a different matter.) The argument on the KeePass page that side-channel attacks are irrelevant “because KeePass is a local application, not a remote server” doesn't make sense to me. The side-channel attacks in question are the usual cache (and thus timing) issues, right? So why couldn't local Javascript attack that? We crippled Javascript's access to timers as best as we could after Meltdown/Spectre so maybe it's not so practical now, but the fact that KeePass may have misunderstood things doesn't support the idea that exposing |
Change https://golang.org/cl/91935 mentions this issue: |
Argon2d is/will be used for proof of work in blockchains. |
I'm in agreement with @MalteJ. The draft Argon2 RFC (link to section) specifically recommends Argon2d for cryptographic mining. I was disappointed to see it was not exported when I reached for this library. |
Any update to this? Same as @MalteJ and @gimmeasandwich; trying to implement a PoW miner in Golang is impossible because of lacking |
/cc @FiloSottile |
Please export 2d variant. |
Is there any intent to export |
I don't think we should break the expectation that crypto/ and x/crypto provide safe primitives for most use cases to enable blockchain PoW algorithms. In particular, I don't want the fastest option in a set of hard to choose amongst options to be the least safe. A high-performance Argon2d implementation with no security requirements is maybe something the blockchain community should develop in an external repository. |
This change exports the Argon2 variant Argon2id and improves documenation. The following parameter recommendations are added: - Argon2i: time=3 and max. memory for non-interactive scenarios as recommended by the RFC draft https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3 - Argon2id: time=2 and memory=64MB for interactive scenarios as used by libsodium >= 1.0.9 https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html time=1 and max. memory for non-interactive scenarios as recommended by the RFC draft linked above. Fixes golang/go#23602 Change-Id: Ia4d537e6126e5aff1243f2b5579df6bc8edb851a Reviewed-on: https://go-review.googlesource.com/91935 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This change exports the Argon2 variant Argon2id and improves documenation. The following parameter recommendations are added: - Argon2i: time=3 and max. memory for non-interactive scenarios as recommended by the RFC draft https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3 - Argon2id: time=2 and memory=64MB for interactive scenarios as used by libsodium >= 1.0.9 https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html time=1 and max. memory for non-interactive scenarios as recommended by the RFC draft linked above. Fixes golang/go#23602 Change-Id: Ia4d537e6126e5aff1243f2b5579df6bc8edb851a Reviewed-on: https://go-review.googlesource.com/91935 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This change exports the Argon2 variant Argon2id and improves documenation. The following parameter recommendations are added: - Argon2i: time=3 and max. memory for non-interactive scenarios as recommended by the RFC draft https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3 - Argon2id: time=2 and memory=64MB for interactive scenarios as used by libsodium >= 1.0.9 https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html time=1 and max. memory for non-interactive scenarios as recommended by the RFC draft linked above. Fixes golang/go#23602 Change-Id: Ia4d537e6126e5aff1243f2b5579df6bc8edb851a Reviewed-on: https://go-review.googlesource.com/91935 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This change exports the Argon2 variant Argon2id and improves documenation. The following parameter recommendations are added: - Argon2i: time=3 and max. memory for non-interactive scenarios as recommended by the RFC draft https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3 - Argon2id: time=2 and memory=64MB for interactive scenarios as used by libsodium >= 1.0.9 https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html time=1 and max. memory for non-interactive scenarios as recommended by the RFC draft linked above. Fixes golang/go#23602 Change-Id: Ia4d537e6126e5aff1243f2b5579df6bc8edb851a Reviewed-on: https://go-review.googlesource.com/91935 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This change exports the Argon2 variant Argon2id and improves documenation. The following parameter recommendations are added: - Argon2i: time=3 and max. memory for non-interactive scenarios as recommended by the RFC draft https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3 - Argon2id: time=2 and memory=64MB for interactive scenarios as used by libsodium >= 1.0.9 https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html time=1 and max. memory for non-interactive scenarios as recommended by the RFC draft linked above. Fixes golang/go#23602 Change-Id: Ia4d537e6126e5aff1243f2b5579df6bc8edb851a Reviewed-on: https://go-review.googlesource.com/91935 Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
x/crypto/argon2
implementsArgon2d
,Argon2i
andArgon2id
variants but exportsArgon2i
only. The recommended and primary variant of Argon2 isArgon2id
(default in libsodium). MoreoverArgon2i
is not the safest choice in certain scenarios (two published attacks). I propose to add to the package 3 exported functions (i.e.Argon2d
,Argon2i
andArgon2id
). TheKey
function will be an alias forArgon2i
for backward compatibility./cc @aead
The text was updated successfully, but these errors were encountered: