Argon2 for both password storage and key derivation
Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.
The basic concept is something like this:
Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.
$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$
Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.
$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$
- Should the secret data be encrypted with Alice's raw password?
- Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?
You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.
Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.
Thanks in advance.
password-hashing password-based-encryption argon2
New contributor
|
show 1 more comment
Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.
The basic concept is something like this:
Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.
$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$
Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.
$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$
- Should the secret data be encrypted with Alice's raw password?
- Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?
You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.
Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.
Thanks in advance.
password-hashing password-based-encryption argon2
New contributor
The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago
The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago
There is a small calculation here
– kelalaka
8 hours ago
Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
7 hours ago
But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
7 hours ago
|
show 1 more comment
Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.
The basic concept is something like this:
Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.
$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$
Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.
$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$
- Should the secret data be encrypted with Alice's raw password?
- Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?
You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.
Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.
Thanks in advance.
password-hashing password-based-encryption argon2
New contributor
Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.
The basic concept is something like this:
Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.
$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$
Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.
$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$
- Should the secret data be encrypted with Alice's raw password?
- Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?
You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.
Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.
Thanks in advance.
password-hashing password-based-encryption argon2
password-hashing password-based-encryption argon2
New contributor
New contributor
edited 7 hours ago
Ella Rose♦
15k44179
15k44179
New contributor
asked 8 hours ago
John
236
236
New contributor
New contributor
The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago
The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago
There is a small calculation here
– kelalaka
8 hours ago
Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
7 hours ago
But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
7 hours ago
|
show 1 more comment
The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago
The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago
There is a small calculation here
– kelalaka
8 hours ago
Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
7 hours ago
But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
7 hours ago
The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago
The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago
The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago
The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago
There is a small calculation here
– kelalaka
8 hours ago
There is a small calculation here
– kelalaka
8 hours ago
Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
7 hours ago
Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
7 hours ago
But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
7 hours ago
But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
7 hours ago
|
show 1 more comment
2 Answers
2
active
oldest
votes
Should the secret data be encrypted with Alice's raw password?
As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!
There are multiple reasons for this:
- Passwords need special processing in the form of complexity parameters.
- Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.
- Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.
- Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.
Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?
Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.
The idea behind this is:
- If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.
- If you don't expose intermediate values, you effectively created a new composite hashing scheme.
- If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".
The rest is similar to smrt28's answer:
- Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.
- Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.
Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
4 hours ago
1
@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago
Ah, thank you for the explanation. I get it now.
– John
4 hours ago
Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago
add a comment |
Try to think like a hacker...
Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.
If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.
If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.
If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.
IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.
That's what I thought. Thanks.
– John
7 hours ago
Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago
2
I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
John is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66161%2fargon2-for-both-password-storage-and-key-derivation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Should the secret data be encrypted with Alice's raw password?
As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!
There are multiple reasons for this:
- Passwords need special processing in the form of complexity parameters.
- Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.
- Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.
- Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.
Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?
Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.
The idea behind this is:
- If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.
- If you don't expose intermediate values, you effectively created a new composite hashing scheme.
- If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".
The rest is similar to smrt28's answer:
- Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.
- Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.
Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
4 hours ago
1
@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago
Ah, thank you for the explanation. I get it now.
– John
4 hours ago
Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago
add a comment |
Should the secret data be encrypted with Alice's raw password?
As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!
There are multiple reasons for this:
- Passwords need special processing in the form of complexity parameters.
- Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.
- Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.
- Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.
Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?
Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.
The idea behind this is:
- If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.
- If you don't expose intermediate values, you effectively created a new composite hashing scheme.
- If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".
The rest is similar to smrt28's answer:
- Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.
- Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.
Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
4 hours ago
1
@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago
Ah, thank you for the explanation. I get it now.
– John
4 hours ago
Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago
add a comment |
Should the secret data be encrypted with Alice's raw password?
As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!
There are multiple reasons for this:
- Passwords need special processing in the form of complexity parameters.
- Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.
- Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.
- Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.
Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?
Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.
The idea behind this is:
- If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.
- If you don't expose intermediate values, you effectively created a new composite hashing scheme.
- If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".
The rest is similar to smrt28's answer:
- Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.
- Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.
Should the secret data be encrypted with Alice's raw password?
As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!
There are multiple reasons for this:
- Passwords need special processing in the form of complexity parameters.
- Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.
- Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.
- Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.
Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?
Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.
The idea behind this is:
- If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.
- If you don't expose intermediate values, you effectively created a new composite hashing scheme.
- If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".
The rest is similar to smrt28's answer:
- Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.
- Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.
answered 5 hours ago
SEJPM♦
28.2k553132
28.2k553132
Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
4 hours ago
1
@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago
Ah, thank you for the explanation. I get it now.
– John
4 hours ago
Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago
add a comment |
Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
4 hours ago
1
@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago
Ah, thank you for the explanation. I get it now.
– John
4 hours ago
Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago
Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
4 hours ago
Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
4 hours ago
1
1
@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago
@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago
Ah, thank you for the explanation. I get it now.
– John
4 hours ago
Ah, thank you for the explanation. I get it now.
– John
4 hours ago
Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago
Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago
add a comment |
Try to think like a hacker...
Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.
If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.
If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.
If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.
IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.
That's what I thought. Thanks.
– John
7 hours ago
Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago
2
I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago
add a comment |
Try to think like a hacker...
Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.
If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.
If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.
If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.
IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.
That's what I thought. Thanks.
– John
7 hours ago
Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago
2
I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago
add a comment |
Try to think like a hacker...
Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.
If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.
If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.
If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.
IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.
Try to think like a hacker...
Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.
If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.
If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.
If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.
IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.
answered 7 hours ago
smrt28
52146
52146
That's what I thought. Thanks.
– John
7 hours ago
Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago
2
I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago
add a comment |
That's what I thought. Thanks.
– John
7 hours ago
Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago
2
I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago
That's what I thought. Thanks.
– John
7 hours ago
That's what I thought. Thanks.
– John
7 hours ago
Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago
Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago
2
2
I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago
I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago
add a comment |
John is a new contributor. Be nice, and check out our Code of Conduct.
John is a new contributor. Be nice, and check out our Code of Conduct.
John is a new contributor. Be nice, and check out our Code of Conduct.
John is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66161%2fargon2-for-both-password-storage-and-key-derivation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago
The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago
There is a small calculation here
– kelalaka
8 hours ago
Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
7 hours ago
But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
7 hours ago