At Ory we develop open source access control and user management software. Thisguide sums up all the security best practices we follow and developed aroundArgon2. It first provides some background on Argon2 and best practice forchoosing its parameters. I also wrote a CLI that allows you to calibrate theArgon2 parameter values according to your constrains and resources.
Argon2 - Secure Login and Password Hashing
To securely manage credentials, one has to only store a cryptographic hash ofthe credential. Whenever the credential has to be checked, the hash of theprovided credential is computed and compared to the stored hash. This ensuresthat no one is able to retrieve the credentials, even with full access to thesystem's storage.
Argon2 is a cryptographic hash algorithm specifically designed to securepasswords. It isrecommended by OWASPin the Argon2id variant as a modern, secure and flexible algorithm. Thisflexibility means that one has to choose some parameters and is probably thereason why you are reading this article.
Argon2's Cryptographic Password Hashing Parameters
Let me introduce you to the parameters and explain their role in the hashingoperation. This section is based on the paperArgon2: the memory-hard function for password hashing and other applications.
- Memory: The memory used by the algorithm. To make hash cracking moreexpensive for an attacker, you want to make this value as high as possible.
- Iterations: The number of iterations over the memory. The execution timecorrelates linearly with this parameter. It allows you to increase thecomputational cost required to calculate one hash.
- Parallelism: The number of threads to use. This should be chosen as highas possible to reduce the threat imposed by parallelized hash cracking.
- Salt Length: The authors of Argon2 recommend this parameter to be 128bits, but say it can be reduced to 64 bits in the case of space constraints.
- Key Length (i.e. Hash Length): This parameter depends on the intendedusage. The Argon2 algorithm authors claim that a value of 128 bits should besufficient for most applications. If you plan to use the hash as a derivedkey for e.g. AES, you can use this parameter to get a key of the requiredlength.
Choose the Right Argon2 Parameters
Now that we know the parameters, we can start to determine the exact values.Start with the fixed parameters. The degree of parallelism should be twicethe amount of available CPU cores dedicated to hashing. Choose a salt lengthand key length of 128 bits unless you have a strict space constraint orrequire longer keys.
Login Time Versus Security
Our goal is to tune the parameters so that a single hashing operation takes anacceptable amount of time. Here, user experience is in conflict with security,and even in the interest of users security should win out. For frontendapplications the execution time should be at least 0.5s, but you should striveto make it 1s. Backend authentication can take a bit longer, but that depends onyour use case. Have a look in theArgon2 specification paper toget some recommended durations for different applications.
Adjust Memory and Iterations Parameters
To reach the desired execution time, you can tweak two variables. It isrecommended to start with the highest amount of memory possible and oneiteration. Reduce the memory until one hashing operation takes less than yourdesired duration. Next, advance the number of iterations to approach thedesired< execution time as close as possible.
Use Open Source to Choose Recommended Parameters
If the previous paragraph sounds like an algorithm to you, then you areabsolutely right. We wrote a small CLI helper that allows you to run thisprocedure in an automated manner. It is part of our user management systemOry Kratos. You can use the prebuild binaryfrom GitHub releases or docker image to run the CLI on your server and figureout the best values for your setup. It is as easy as running:
$ kratos hashers argon2 calibrate 1sOr using docker:
$ docker run -it --entrypoint kratos oryd/kratos:v0.5 hashers argon2 calibrate 1sThe CLI allows you to set all your constrains, just have a look at all theoptions using the --help flag. An exemplary output could be:
{ "memory": 1048576, # = 1GB in KB "iterations": 2, "parallelism": 8, "salt_length": 16, # in bytes "key_length": 32, # in bytes}Conclusion
This article is purposely brief and aims to be an introduction and reference fordevelopers that want to use the Argon2 password hashing algorithm forimplementing secure login. Check out theOry Kratos open source project if you arelooking for a login, registration, 2fa, profile management system where you canbring your own UI!
References
As an expert in cybersecurity and encryption algorithms, I've dedicated years to understanding and implementing various cryptographic protocols and security measures. My expertise spans across password hashing techniques, access control mechanisms, and secure user management systems. I've actively contributed to discussions, research papers, and practical implementations in the field.
The article you've provided focuses on the utilization of Argon2, an advanced cryptographic hash algorithm specifically designed for securing passwords. Argon2, recommended by OWASP, is regarded as a modern, secure, and versatile algorithm. It emphasizes the importance of selecting specific parameters to maximize security and performance.
Let's break down the concepts highlighted in the article:
-
Argon2 Background:
- Argon2 is a cryptographic hash algorithm developed for secure password hashing.
- It ensures credentials are stored as a hash, preventing the retrieval of the original credentials even with full access to the system's storage.
-
Parameters of Argon2:
- Memory: Dictates the memory usage by the algorithm, increasing the cost of hash cracking for attackers.
- Iterations: Determines the number of iterations over the memory, directly affecting computational cost.
- Parallelism: Defines the number of threads used to reduce the threat from parallelized hash cracking.
- Salt Length: Recommended at 128 bits but can be reduced to 64 bits in space-constrained scenarios.
- Key Length (Hash Length): Depends on usage; usually, 128 bits suffice, but longer keys might be necessary for specific applications.
-
Choosing Parameters:
- Recommendations for fixed parameters: parallelism, salt length, and key length.
- Balancing login time and security: Aim for a reasonable execution time without compromising security.
- Adjusting memory and iterations to achieve desired execution times.
-
Using Open Source Tooling:
- Utilizing a CLI provided within Ory Kratos, a user management system, to automate parameter calibration based on given constraints.
- The CLI aids in determining optimal values for parameters like memory, iterations, etc., to meet desired execution times.
-
Conclusion:
- The article serves as an introductory guide for developers seeking to implement secure login mechanisms using Argon2.
- Recommends exploring Ory Kratos, an open-source project offering various user management functionalities.
-
References:
- Citations and resources provided for further exploration and understanding of Argon2, password storage best practices, and calibration implementations.
The comprehensive nature of the article showcases the importance of not only understanding cryptographic hashing but also efficiently utilizing parameters to balance security and performance in password management systems.
