Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent advice for key derivation #118

Closed
hexagonrecursion opened this issue Mar 21, 2022 · 5 comments
Closed

Inconsistent advice for key derivation #118

hexagonrecursion opened this issue Mar 21, 2022 · 5 comments

Comments

@hexagonrecursion
Copy link

This tells me argon2i is the preferred type for password-based key derivation:

argon2-cffi/docs/argon2.rst

Lines 20 to 22 in a112416

Argon2i
uses data-independent memory access, which is preferred for password hashing and password-based key derivation.
Argon2i is slower as it makes more passes over the memory to protect from tradeoff attacks.

This tells me argon2id is preferred:

argon2-cffi/src/argon2/low_level.py

Lines 57 to 65 in e9f84e4

ID = lib.Argon2_id
r"""
Argon2\ **id** is a hybrid of Argon2i and Argon2d, using a combination of
data-depending and data-independent memory accesses, which gives some of
Argon2i's resistance to side-channel cache timing attacks and much of
Argon2d's resistance to GPU cracking attacks.
That makes it the preferred type for password hashing and password-based
key derivation.

The argon2 paper appears to recommend argon2i: (emphasis mine):

8 Applications
Argon2d is optimized for settings where the adversary does not get regular access to system memory or CPU,
i.e. he can not run side-channel attacks based on the timing information, nor he can recover the password much
faster using garbage collection [7]. These settings are more typical for backend servers and cryptocurrency
minings. For practice we suggest the following settings:
• Cryptocurrency mining, that takes 0.1 seconds on a 2 Ghz CPU using 1 core — Argon2d with 2 lanes and
250 MB of RAM;
16
• Backend server authentication, that takes 0.5 seconds on a 2 GHz CPU using 4 cores — Argon2d with 8
lanes and 4 GB of RAM.
Argon2i is optimized for more dangerous settings, where the adversary possibly can access the same machine,
use its CPU or mount cold-boot attacks. We use three passes to get rid entirely of the password in the memory.
We suggest the following settings:
Key derivation for hard-drive encryption, that takes 3 seconds on a 2 GHz CPU using 2 cores — Argon2i
with 4 lanes and 6 GB of RAM;
• Frontend server authentication, that takes 0.5 seconds on a 2 GHz CPU using 2 cores — Argon2i with 4
lanes and 1 GB of RAM.
@hexagonrecursion hexagonrecursion mentioned this issue Mar 21, 2022
Merged
@hexagonrecursion
Copy link
Author

Ideally you would cite the source you got the advice from

@hynek
Copy link
Owner

hynek commented Mar 21, 2022

The paper is outdated and the argon2.rst quote is technically true, but unfortunate so I will try to reword it. The actual recommendations are in https://argon2-cffi.readthedocs.io/en/stable/parameters.html that recommends 2id and cites the source too: RFC 9106.

@hynek
Copy link
Owner

hynek commented Mar 21, 2022

do you find 06a4a5b helpful?

@hexagonrecursion
Copy link
Author

hexagonrecursion commented Mar 21, 2022
edited
Loading

I have submitted a PR in phc-winner-argon2 to add a link to the RFC because the pdf gives outdated advice

@ThomasWaldmann
Copy link

ThomasWaldmann commented Mar 21, 2022
edited
Loading

@hynek thanks for updating the docs, much better now!

as you've seen, we'll use argon2-cffi in borgbackup, thanks for writing it! \o/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hynek @ThomasWaldmann @hexagonrecursion