Password Hashing Security Using Scrypt & Argon2Key collision in scrypt and hkdfPassword hashing security of argon2 versus bcrypt/PBKDF2?Does a big salt have the same memory effects as Bcrypt?Best password hashing strategy with Argon2 in a web appQuestion about hashing passwords with PBKDF2argon2 vs scryptGenerating secure hash using iPhone Secure Enclavescrypt and argon2: binary safe?Login security and plaintext of a password stored in Argon2i to derive a key via halite safe?

Can Zombify target a creature card that isn't in the graveyard?

How likely are you to be injured by falling shot from a game shoot?

Single word for delaying an unpleasant task

What is the difference between the Ancient Greek religion and the Ancient Roman religion?

Washing the skin of a dead rat

Extend mapsto to exhaust space between the column elements of a given table

I have been accused of copying two lab reports from the previous year even though I had done everything by myself

Kanji identification (low res)

Change date format with sed or awk in file

What is David Chalmers' Naturalistic dualism?

Beam slope indicating accelerando or rallentando

Why would gloves be necessary for handling flobberworms?

Interpret numbers very literally

Select sets from a list which are in ascending order

bash: Is there a way to printf $@ verbatim?

Did Catherine the Great really call for the abolition of serfdom?

Is there evidence for Col. Vindman being a "Never Trumper"?

Does paying a mortgage early mean you effectively paid a much higher interest rate?

Space opera book, early eighties, female can mind transfer

Ethics questions concerning a referee assignment

After upgrading Xcode 11.2 from Xcode 11.1, app crashes due to _UITextLayoutView

How to get a large amount of cash abroad if a debit card stops working?

How to Keep Winged People Where They Belong?

Totally Blind Chess



Password Hashing Security Using Scrypt & Argon2


Key collision in scrypt and hkdfPassword hashing security of argon2 versus bcrypt/PBKDF2?Does a big salt have the same memory effects as Bcrypt?Best password hashing strategy with Argon2 in a web appQuestion about hashing passwords with PBKDF2argon2 vs scryptGenerating secure hash using iPhone Secure Enclavescrypt and argon2: binary safe?Login security and plaintext of a password stored in Argon2i to derive a key via halite safe?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;








1














$begingroup$


I am developing an app where the following cryptographic system will be in place:



  • Elliptic Curve key exchange (curve: secp521r1)

  • Double Scrypt the shared secret with different salts

  • Pass this result through Argon2 with another salt

  • Encrypt the data using AES 256 and the key from Argon2 (and an IV)

I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks










share|improve this question












$endgroup$










  • 4




    $begingroup$
    are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
    $endgroup$
    – Meir Maor
    Jul 7 at 9:36






  • 1




    $begingroup$
    @SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
    $endgroup$
    – Patriot
    Jul 8 at 4:23










  • $begingroup$
    @Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
    $endgroup$
    – SamG101
    Jul 13 at 13:29










  • $begingroup$
    you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
    $endgroup$
    – Meir Maor
    Jul 13 at 14:36


















1














$begingroup$


I am developing an app where the following cryptographic system will be in place:



  • Elliptic Curve key exchange (curve: secp521r1)

  • Double Scrypt the shared secret with different salts

  • Pass this result through Argon2 with another salt

  • Encrypt the data using AES 256 and the key from Argon2 (and an IV)

I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks










share|improve this question












$endgroup$










  • 4




    $begingroup$
    are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
    $endgroup$
    – Meir Maor
    Jul 7 at 9:36






  • 1




    $begingroup$
    @SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
    $endgroup$
    – Patriot
    Jul 8 at 4:23










  • $begingroup$
    @Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
    $endgroup$
    – SamG101
    Jul 13 at 13:29










  • $begingroup$
    you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
    $endgroup$
    – Meir Maor
    Jul 13 at 14:36














1












1








1


1



$begingroup$


I am developing an app where the following cryptographic system will be in place:



  • Elliptic Curve key exchange (curve: secp521r1)

  • Double Scrypt the shared secret with different salts

  • Pass this result through Argon2 with another salt

  • Encrypt the data using AES 256 and the key from Argon2 (and an IV)

I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks










share|improve this question












$endgroup$




I am developing an app where the following cryptographic system will be in place:



  • Elliptic Curve key exchange (curve: secp521r1)

  • Double Scrypt the shared secret with different salts

  • Pass this result through Argon2 with another salt

  • Encrypt the data using AES 256 and the key from Argon2 (and an IV)

I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks







password-hashing scrypt argon2






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited Jul 7 at 15:30







SamG101

















asked Jul 7 at 7:15









SamG101SamG101

536 bronze badges




536 bronze badges










  • 4




    $begingroup$
    are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
    $endgroup$
    – Meir Maor
    Jul 7 at 9:36






  • 1




    $begingroup$
    @SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
    $endgroup$
    – Patriot
    Jul 8 at 4:23










  • $begingroup$
    @Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
    $endgroup$
    – SamG101
    Jul 13 at 13:29










  • $begingroup$
    you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
    $endgroup$
    – Meir Maor
    Jul 13 at 14:36













  • 4




    $begingroup$
    are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
    $endgroup$
    – Meir Maor
    Jul 7 at 9:36






  • 1




    $begingroup$
    @SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
    $endgroup$
    – Patriot
    Jul 8 at 4:23










  • $begingroup$
    @Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
    $endgroup$
    – SamG101
    Jul 13 at 13:29










  • $begingroup$
    you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
    $endgroup$
    – Meir Maor
    Jul 13 at 14:36








4




4




$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36




$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36




1




1




$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23




$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23












$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29




$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29












$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36





$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36











2 Answers
2






active

oldest

votes


















12
















$begingroup$

This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.



Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.






share|improve this answer










$endgroup$










  • 3




    $begingroup$
    Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
    $endgroup$
    – Ella Rose
    Jul 7 at 15:31






  • 3




    $begingroup$
    Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
    $endgroup$
    – forest
    Jul 8 at 0:41







  • 1




    $begingroup$
    I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
    $endgroup$
    – Meir Maor
    Jul 8 at 6:51










  • $begingroup$
    I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
    $endgroup$
    – rmalayter
    Jul 8 at 21:52










  • $begingroup$
    @ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
    $endgroup$
    – SamG101
    Jul 13 at 13:26


















5
















$begingroup$

You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.



You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.



This is why it's so important to use a ready-made library that does all this for you.






share|improve this answer










$endgroup$














  • $begingroup$
    Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
    $endgroup$
    – SamG101
    Jul 8 at 7:35










  • $begingroup$
    @SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
    $endgroup$
    – forest
    Jul 8 at 7:36











  • $begingroup$
    Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
    $endgroup$
    – SamG101
    Jul 8 at 7:39










  • $begingroup$
    @SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
    $endgroup$
    – forest
    Jul 8 at 7:39












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71801%2fpassword-hashing-security-using-scrypt-argon2%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









12
















$begingroup$

This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.



Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.






share|improve this answer










$endgroup$










  • 3




    $begingroup$
    Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
    $endgroup$
    – Ella Rose
    Jul 7 at 15:31






  • 3




    $begingroup$
    Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
    $endgroup$
    – forest
    Jul 8 at 0:41







  • 1




    $begingroup$
    I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
    $endgroup$
    – Meir Maor
    Jul 8 at 6:51










  • $begingroup$
    I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
    $endgroup$
    – rmalayter
    Jul 8 at 21:52










  • $begingroup$
    @ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
    $endgroup$
    – SamG101
    Jul 13 at 13:26















12
















$begingroup$

This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.



Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.






share|improve this answer










$endgroup$










  • 3




    $begingroup$
    Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
    $endgroup$
    – Ella Rose
    Jul 7 at 15:31






  • 3




    $begingroup$
    Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
    $endgroup$
    – forest
    Jul 8 at 0:41







  • 1




    $begingroup$
    I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
    $endgroup$
    – Meir Maor
    Jul 8 at 6:51










  • $begingroup$
    I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
    $endgroup$
    – rmalayter
    Jul 8 at 21:52










  • $begingroup$
    @ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
    $endgroup$
    – SamG101
    Jul 13 at 13:26













12














12










12







$begingroup$

This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.



Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.






share|improve this answer










$endgroup$



This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.



Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.







share|improve this answer













share|improve this answer




share|improve this answer










answered Jul 7 at 8:55









rmalayterrmalayter

2,01312 silver badges23 bronze badges




2,01312 silver badges23 bronze badges










  • 3




    $begingroup$
    Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
    $endgroup$
    – Ella Rose
    Jul 7 at 15:31






  • 3




    $begingroup$
    Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
    $endgroup$
    – forest
    Jul 8 at 0:41







  • 1




    $begingroup$
    I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
    $endgroup$
    – Meir Maor
    Jul 8 at 6:51










  • $begingroup$
    I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
    $endgroup$
    – rmalayter
    Jul 8 at 21:52










  • $begingroup$
    @ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
    $endgroup$
    – SamG101
    Jul 13 at 13:26












  • 3




    $begingroup$
    Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
    $endgroup$
    – Ella Rose
    Jul 7 at 15:31






  • 3




    $begingroup$
    Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
    $endgroup$
    – forest
    Jul 8 at 0:41







  • 1




    $begingroup$
    I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
    $endgroup$
    – Meir Maor
    Jul 8 at 6:51










  • $begingroup$
    I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
    $endgroup$
    – rmalayter
    Jul 8 at 21:52










  • $begingroup$
    @ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
    $endgroup$
    – SamG101
    Jul 13 at 13:26







3




3




$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose
Jul 7 at 15:31




$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose
Jul 7 at 15:31




3




3




$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41





$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41





1




1




$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51




$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51












$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52




$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52












$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26




$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26













5
















$begingroup$

You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.



You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.



This is why it's so important to use a ready-made library that does all this for you.






share|improve this answer










$endgroup$














  • $begingroup$
    Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
    $endgroup$
    – SamG101
    Jul 8 at 7:35










  • $begingroup$
    @SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
    $endgroup$
    – forest
    Jul 8 at 7:36











  • $begingroup$
    Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
    $endgroup$
    – SamG101
    Jul 8 at 7:39










  • $begingroup$
    @SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
    $endgroup$
    – forest
    Jul 8 at 7:39















5
















$begingroup$

You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.



You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.



This is why it's so important to use a ready-made library that does all this for you.






share|improve this answer










$endgroup$














  • $begingroup$
    Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
    $endgroup$
    – SamG101
    Jul 8 at 7:35










  • $begingroup$
    @SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
    $endgroup$
    – forest
    Jul 8 at 7:36











  • $begingroup$
    Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
    $endgroup$
    – SamG101
    Jul 8 at 7:39










  • $begingroup$
    @SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
    $endgroup$
    – forest
    Jul 8 at 7:39













5














5










5







$begingroup$

You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.



You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.



This is why it's so important to use a ready-made library that does all this for you.






share|improve this answer










$endgroup$



You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.



You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.



This is why it's so important to use a ready-made library that does all this for you.







share|improve this answer













share|improve this answer




share|improve this answer










answered Jul 8 at 0:37









forestforest

8,4471 gold badge29 silver badges62 bronze badges




8,4471 gold badge29 silver badges62 bronze badges














  • $begingroup$
    Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
    $endgroup$
    – SamG101
    Jul 8 at 7:35










  • $begingroup$
    @SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
    $endgroup$
    – forest
    Jul 8 at 7:36











  • $begingroup$
    Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
    $endgroup$
    – SamG101
    Jul 8 at 7:39










  • $begingroup$
    @SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
    $endgroup$
    – forest
    Jul 8 at 7:39
















  • $begingroup$
    Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
    $endgroup$
    – SamG101
    Jul 8 at 7:35










  • $begingroup$
    @SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
    $endgroup$
    – forest
    Jul 8 at 7:36











  • $begingroup$
    Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
    $endgroup$
    – SamG101
    Jul 8 at 7:39










  • $begingroup$
    @SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
    $endgroup$
    – forest
    Jul 8 at 7:39















$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35




$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35












$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36





$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36













$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39




$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39












$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39




$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39


















draft saved

draft discarded















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71801%2fpassword-hashing-security-using-scrypt-argon2%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?