Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding RFC 9106 cost profiles? #8

Open
fnordfish opened this issue Nov 27, 2024 · 5 comments
Open

Adding RFC 9106 cost profiles? #8

fnordfish opened this issue Nov 27, 2024 · 5 comments

Comments

@fnordfish
Copy link

RFC 9106 describes different default profiles depending on available memory:

If a uniformly safe option that is not tailored to your application or hardware is acceptable, select Argon2id with t=1 iteration, p=4 lanes, m=2^(21) (2 GiB of RAM), 128-bit salt, and 256-bit tag size. This is the FIRST RECOMMENDED option.

If much less memory is available, a uniformly safe option is Argon2id with t=3 iterations, p=4 lanes, m=2^(16) (64 MiB of RAM), 128-bit salt, and 256-bit tag size. This is the SECOND RECOMMENDED option.

Apart from the memory cost factors, they differ from the OWASP recommendation using p=4 lanes.

Also, for testing, it might be useful to have a pre-configured cheapest option with t=1, m=2^3, p=1
@mudge
Copy link
Owner

mudge commented Nov 27, 2024

As there are several competing recommendations, I wanted to avoid over-specifying the various parameters (aside from picking the OWASP recommendation as a safe default that traded-off RAM usage with CPU to accommodate use in memory-constrained environments such as cheap web VMs).

What were you imagining, a new :profile argument much like Ruby Argon2's named cost profiles?

@fnordfish
Copy link
Author

I understand, adding options to choose from invites confusion and misconfiguration.

I was imagining providing some simple constants that could splat into Argon2id::Password.create like:

Argon2id::Password.create("opensesame", **Argon2id::RFC_9106_LOW_MEM)

I think, that's whats Argon2 is doing behind the scenes as well.

Since Argin2id can be globally configured, Argon2id.rfc_9106_low_mem! would fit more than a :profile argument?

@mudge
Copy link
Owner

mudge commented Nov 27, 2024

I like the suggestion of the constants that can be passed as keyword arguments to Argon2id::Password.create but let me think about the methods on Argon2id that update all the defaults.

I wonder if we can avoid having a “dangerous” method per profile and have a more generic method that takes each parameter as a keyword so you can call it like Argon2id.some_method_name_here(**Argon2id::RFC_9106_LOW_MEM).

mudge added a commit that referenced this issue Nov 28, 2024
@mudge
Provide preset parameters for RFC 9106
347bb4d 
GitHub: #8

Allow users to choose from recommended parameters from RFC 9106 and the
OWASP Password Storage Cheat Sheet by providing them as constants on
`Argon2id`.

To allow users to use this as defaults without having to pass them to
every call to `Argon2id::Password.create`, add a new
`Argon2id.set_defaults` (and corresponding `Argon2id.defaults`) method
for setting multiple parameters at once.
@mudge mudge mentioned this issue Nov 28, 2024
Draft
@mudge
Copy link
Owner

mudge commented Nov 28, 2024
edited
Loading

I've raised a draft PR in #9 that provides these new parameter presets as well as a new Argon2id.set_defaults API for setting all parameters at once, e.g.

Argon2id.set_defaults(**Argon2id::RFC_9106_HIGH_MEMORY)

Please let me know what you think.

mudge added a commit that referenced this issue Nov 28, 2024
@mudge
Provide preset parameters for RFC 9106
730ee03 
GitHub: #8

Allow users to choose from recommended parameters from RFC 9106 and the
OWASP Password Storage Cheat Sheet by providing them as constants on
`Argon2id`.

To allow users to use this as defaults without having to pass them to
every call to `Argon2id::Password.create`, add a new
`Argon2id.set_defaults` method for setting multiple parameters at once.
Note that `Argon2id.set_defaults` returns `nil` as it is purely for
side-effects only.
mudge added a commit that referenced this issue Nov 29, 2024
@mudge
Provide preset parameters for RFC 9106
b01ecae 
GitHub: #8

Allow users to choose from recommended parameters from RFC 9106 and the
OWASP Password Storage Cheat Sheet by providing them as constants on
`Argon2id`.

To allow users to use this as defaults without having to pass them to
every call to `Argon2id::Password.create`, add a new
`Argon2id.set_defaults` method for setting multiple parameters at once.
Note that `Argon2id.set_defaults` returns `nil` as it is purely for
side-effects only.
@fnordfish
Copy link
Author

Sorry for the late reply. Looks nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mudge @fnordfish