search

nithinmanoj10 / password-SHAck

💼 Password Manager Toolkit
0 stars 0 forks source link

📑 Argon2 #16

Open nithinmanoj10 opened 1 year ago

nithinmanoj10 commented 1 year ago

Literature review for the Key-Derivation Function Argon2

nithinmanoj10 commented 1 year ago

Password hashing is everywhere, from web services' credentials storage to mobile and desktop authentication or disk encryption systems. Yet there wasn't an established standard to fulfill the needs of modern applications and to best protect against attackers. The Password Hashing Competition (PHC) was introduced to come up with new state of the art password hashing functions to replace legacy ones. From this competition there was one selected winner: Argon2

Argon2 is a password-hashing function that summarizes the state of the art in the design of memory-hard functions and can be used to hash passwords for credential storage, key derivation, or other applications. It has a simple design aimed at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks (by exploiting the cache and memory organization of the recent processors). It has better password cracking resistance (when configured correctly) than PBKDF2, Bcrypt and Scrypt (for similar configuration parameters for CPU and RAM usage).

The Argon2 function has several variants

  1. Argon2d maximizes resistance to GPU cracking attacks. It accesses the memory array in a password dependent order, which reduces the possibility of time–memory trade-off (TMTO) attacks, but introduces possible side-channel attacks.
  2. Argon2i is optimized to resist side-channel attacks. It accesses the memory array in a password independent order.
  3. Argon2id is a hybrid version. It follows the Argon2i approach for the first half pass over memory and the Argon2d approach for subsequent passes. The RFC[4] recommends using Argon2id if you do not know the difference between the types or you consider side-channel attacks to be a viable threat.

Argon2 has the following config parameters

  1. password p: the password (or message) to be hashed
  2. salt S: random-generated salt (16 bytes recommended for password hashing)
  3. iterations t: number of iterations to perform
  4. memorySizeKB m: amount of memory (in kilobytes) to use
  5. parallelism p: degree of parallelism (i.e. number of threads)
  6. outputKeyLength T: desired number of returned bytes

As of now there are no public cryptanalysis conducted on Argon2d, though there were two attacks conducted on Argon2i. The first attack is applicable only to the old version of Argon2i. According to the Argon2 authors, this attack vector was fixed in version 1.3. While the second has been extended to the latest version (1.3), the Argon2 authors claim that this attack is not efficient if Argon2i is used with three or more passes. They further improved the attack and showed that in order for the attack to fail, Argon2i v1.3 needs more than 10 passes over memory.

When configured properly Argon2 is considered a highly secure KDF function, one of the best available in the industry, so you can use it as general purpose password to key derivation algorithm, e.g. to when encrypting wallets, documents, files or app passwords. In the general case Argon2 is recommended over Scrypt, Bcrypt and PBKDF2.

nithinmanoj10 commented 1 year ago

References used

  1. Argon2 Wikipedia
  2. Argon2 Python Application
  3. Password Hashing Competition
  4. Argon2 Source Code
  5. Argon2 Paper