Why using Argon2_d? It is vulnerable agains side-channel attacks

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.

https://keepassxc.org/

Other

21.26k stars 1.47k forks source link

Why using Argon2_d? It is vulnerable agains side-channel attacks #1619

Closed electrofloat closed 6 years ago

electrofloat commented 6 years ago

Hi!

Here: https://github.com/keepassxreboot/keepassxc/blob/develop/src/crypto/kdf/Argon2Kdf.cpp#L170 Argon2_d is used, but the RFC draft recommends Argon2id: https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/?include_text=1

9.4. Recommendations

The Argon2id variant with t=1 and maximum available memory is recommended as a default setting for all environments. This setting is secure against side-channel attacks and maximizes adversarial costs on dedicated bruteforce hardware.

hifi commented 6 years ago

KeePassXC is fully compatible with KeePass 2 so this question would be better directed at the KeePass developer.

More information here: https://keepass.info/help/kb/kdbx_4.html

electrofloat commented 6 years ago

I see, thanks.

TheZ3ro commented 6 years ago

From KeePass website:

Argon2d variant of Argon2 is supported (a strong defense against GPU/ASIC cracking attacks is the most important goal, and Argon2d here is better than Argon2i; side-channel timing attacks are basically irrelevant, because KeePass is a local application, not a remote server).