• Ashing: PBKDF2, Scrypt, Bcrypt and ARGON2
  • Michele Preziuso
  • The Nuggets translation Project
  • Permanent link to this article: github.com/xitu/gold-m…
  • Translator: Prince Stuart
  • Proofread by xionglong58, GJXAIOU

Password hashing methods: PBKDF2, Scrypt, Bcrypt and ARGON2

There is always a lot of debate about how to store passwords securely and which algorithms to use: MD5, SHA1, SHA256, PBKDF2, Bcrypt, Scrypt, Argon2, plaintext?

So, I tried to analyze and summarize the latest reasonable options: Scrypt, Bcrypt, and Argon2 are eligible, while MD5, SHA1, and SHA256 are not very suitable for storing passwords! 😉

conclusion

In 2015, I posted “Password hashing: PBKDF2, Scrypt, Bcrypt” as an extended answer to my friend’s question.

To summarize:

Attackers often have different, more specialized (and powerful) hardware than we do

An attacker uses specialized hardware because it can be customized to certain algorithms, which allows certain algorithms to run faster than on non-specialized hardware (cpus), and — in general — certain algorithms can be parallelized;

We rely on slow hashing to hash passwords so that your CPU/GPU processor is on par with the attacker’s GPU/FPGA/ASIC processor.

All this above is correct, however, digital encryption monetary competition and rise to another level: billions of dollars in market cap, based on the software/hardware, with the fastest speed to implement a digital encryption currency underlying algorithm, which is an advantage compared to other miners, therefore, are the most profitable one.

Use SHA256 in COINS as its underlying encryption methods of time (therefore, you can on the hardware has been optimized for great optimization, make it become a kind of ‘unfair for miners’ digital currency), but other encryption monetary creator attempts through to rely on memory digital encryption method to make the new currency can be fairer mining: Scrypt is an early example, and Zcash (Equihash) is the most recent.

This means that the slow methods used for password hashing are being used to protect digital cryptocurrencies with millions or even billions of dollars in market capitalization, which makes sense for the fastest implementation of slow hashing methods, and often this is also publicly available.

So what is safe today?

The principle remains the same: we need a slow function that has been approved by the crypto community and is still uncracked.

PBKDF2 has been around for a long time, and as discussed in previous articles, it’s a bit outdated: easy parallelism on multi-core systems (Gpus), which is trivial for custom systems (FPgas/ASics). So I turned it down.

Although BCrypt was introduced in 1999 and is better than PBKDF2 against Gpus/ASICS, I would not recommend using it in the new system because it does not perform well in threat model analysis for offline cracking. Although some cryptocurrencies rely on it (i.e., NUD), it has not gained much popularity as a result, and as a result, the FPGA/ASIC community has not been interested enough to build its hardware implementation. Having said that, Solar Designer (OpenWall), Malvoni and Knezovic (University of Zagreb) wrote a paper in 2014 that describes a monolithic system that uses a mix of ARM/FPGA to attack the algorithm.

SCrypt is a better choice today: better designed than BCrypt (especially in terms of memory) and has been working in the field for a decade. On the other hand, it is also used in many cryptocurrencies, and we have some hardware (including FPgas and ASics) that can implement it. Although they are specifically used for mining, they can also be reused for cracking.

Argon2

Shortly after writing my first article, Argon2 won the password hashing competition in July 2015.

Password hashing contest

The competition was launched in the fall of 2012, and in the first quarter of 2013, the Competition Committee issued a call for entries with a deadline of the end of March 2014. As part of the competition, panelists conducted a thorough review of the submissions and issued a preliminary short report describing their selection criteria and rationale.

introduce

There are two major versions of Argon2: Argon2i is the safest choice against side channel attacks and Argon2d is the safest choice against GPU cracking attacks.

The source code is available on Github, written in C89-compatible C, licensed under a Creative Commons license, and compiled on most ARM, x86, and X64 architecture hardware.

Implementation based on AES

Argon2 is based on AES, and modern X64 and ARM processors have implemented it in instruction set extensions, significantly narrowing the performance gap between common and attacker systems,

Parameter adjustment

Both versions of the algorithm can be parameterized:

  • Time overhead, which defines the time to execute
  • Memory overhead, which defines how much memory is used
  • Parallelism, which defines the number of threads

This means that you can adjust these parameters separately and tailor the security constraints to your use case, threat model, and hardware specifications.

Weigh the attack

In addition, the Argon2 is particularly resistant to rank tradeoff attacks, which makes low-cost attacks on field PROGRAMMABLE gate arrays more difficult: Although recent field programmable gate arrays have embedded RAM blocks, memory bandwidth remains a limitation, and in order to reduce memory bandwidth requirements, the attacker must use more computing resources for Argon2.

These and similar attacks are discussed in the specification (see Chapter 5) and another article by the same author, comparing them to Scrypt.

Argon2id

The following are quotes/interpretations from the Draft Argon2 Internet Engineering Task Force.

Argon2d uses data-dependent memory access, which makes it ideal for cryptocurrency and proof-of-work applications without the threat of side-channel timing attacks. Argon2i uses data-independent memory access, which is the preferred method for password hashing. Argon2id acts as Argon2i for the first half of the first iteration of memory, and Argon2d for the rest. Therefore, based on time-space balance, it not only provides side channel attack protection but also saves violence cost. Argon2i passes more memory to prevent tradeoff attacks.

If you are worried about side channel attacks (e.g., malicious data cache loading/ghost vulnerability, which allows reading of private memory data from other running processes on the same hardware through a cache-based side channel), you should use Argon2i, otherwise use Argon2d. If you’re not sure or you’re happy with the hybrid approach, you can use Argon2id to get the best of both worlds.

conclusion

In 2019, I advise you not to use PBKDF2 or BCrypt in the future, and strongly recommend Argon2 (preferably Argon2id) for the latest systems.

Scrypt is a good choice when Argon2 is unavailable, but keep in mind that it has the same problem with side-by-side channel leakage.

If you find any mistakes in your translation or other areas that need to be improved, you are welcome to the Nuggets Translation Program to revise and PR your translation, and you can also get the corresponding reward points. The permanent link to this article at the beginning of this article is the MarkDown link to this article on GitHub.


The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.