Password Hashing Security Using Scrypt & Argon2Key collision in scrypt and hkdfPassword hashing security of argon2 versus bcrypt/PBKDF2?Does a big salt have the same memory effects as Bcrypt?Best password hashing strategy with Argon2 in a web appQuestion about hashing passwords with PBKDF2argon2 vs scryptGenerating secure hash using iPhone Secure Enclavescrypt and argon2: binary safe?Login security and plaintext of a password stored in Argon2i to derive a key via halite safe?
Can Zombify target a creature card that isn't in the graveyard?
How likely are you to be injured by falling shot from a game shoot?
Single word for delaying an unpleasant task
What is the difference between the Ancient Greek religion and the Ancient Roman religion?
Washing the skin of a dead rat
Extend mapsto to exhaust space between the column elements of a given table
I have been accused of copying two lab reports from the previous year even though I had done everything by myself
Kanji identification (low res)
Change date format with sed or awk in file
What is David Chalmers' Naturalistic dualism?
Beam slope indicating accelerando or rallentando
Why would gloves be necessary for handling flobberworms?
Interpret numbers very literally
Select sets from a list which are in ascending order
bash: Is there a way to printf $@ verbatim?
Did Catherine the Great really call for the abolition of serfdom?
Is there evidence for Col. Vindman being a "Never Trumper"?
Does paying a mortgage early mean you effectively paid a much higher interest rate?
Space opera book, early eighties, female can mind transfer
Ethics questions concerning a referee assignment
After upgrading Xcode 11.2 from Xcode 11.1, app crashes due to _UITextLayoutView
How to get a large amount of cash abroad if a debit card stops working?
How to Keep Winged People Where They Belong?
Totally Blind Chess
Password Hashing Security Using Scrypt & Argon2
Key collision in scrypt and hkdfPassword hashing security of argon2 versus bcrypt/PBKDF2?Does a big salt have the same memory effects as Bcrypt?Best password hashing strategy with Argon2 in a web appQuestion about hashing passwords with PBKDF2argon2 vs scryptGenerating secure hash using iPhone Secure Enclavescrypt and argon2: binary safe?Login security and plaintext of a password stored in Argon2i to derive a key via halite safe?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;
$begingroup$
I am developing an app where the following cryptographic system will be in place:
- Elliptic Curve key exchange (curve: secp521r1)
- Double Scrypt the shared secret with different salts
- Pass this result through Argon2 with another salt
- Encrypt the data using AES 256 and the key from Argon2 (and an IV)
I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks
password-hashing scrypt argon2
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
$endgroup$
add a comment
|
$begingroup$
I am developing an app where the following cryptographic system will be in place:
- Elliptic Curve key exchange (curve: secp521r1)
- Double Scrypt the shared secret with different salts
- Pass this result through Argon2 with another salt
- Encrypt the data using AES 256 and the key from Argon2 (and an IV)
I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks
password-hashing scrypt argon2
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
$endgroup$
4
$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36
1
$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23
$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29
$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36
add a comment
|
$begingroup$
I am developing an app where the following cryptographic system will be in place:
- Elliptic Curve key exchange (curve: secp521r1)
- Double Scrypt the shared secret with different salts
- Pass this result through Argon2 with another salt
- Encrypt the data using AES 256 and the key from Argon2 (and an IV)
I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks
password-hashing scrypt argon2
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
$endgroup$
I am developing an app where the following cryptographic system will be in place:
- Elliptic Curve key exchange (curve: secp521r1)
- Double Scrypt the shared secret with different salts
- Pass this result through Argon2 with another salt
- Encrypt the data using AES 256 and the key from Argon2 (and an IV)
I was wondering whether at the password hashing and KDF stage there was any weaknesses of using double Scrypt then Argon2?? If so, what would be the solution to improve the security of the hashing?? Thanks
password-hashing scrypt argon2
password-hashing scrypt argon2
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
edited Jul 7 at 15:30
SamG101
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
asked Jul 7 at 7:15
SamG101SamG101
536 bronze badges
536 bronze badges
4
$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36
1
$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23
$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29
$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36
add a comment
|
4
$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36
1
$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23
$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29
$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36
4
4
$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36
$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36
1
1
$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23
$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23
$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29
$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29
$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36
$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36
add a comment
|
2 Answers
2
active
oldest
votes
$begingroup$
This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.
Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
$endgroup$
3
$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose♦
Jul 7 at 15:31
3
$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41
1
$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51
$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52
$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26
add a comment
|
$begingroup$
You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.
You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.
This is why it's so important to use a ready-made library that does all this for you.
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
$endgroup$
$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35
$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36
$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39
$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71801%2fpassword-hashing-security-using-scrypt-argon2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.
Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
$endgroup$
3
$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose♦
Jul 7 at 15:31
3
$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41
1
$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51
$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52
$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26
add a comment
|
$begingroup$
This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.
Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
$endgroup$
3
$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose♦
Jul 7 at 15:31
3
$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41
1
$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51
$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52
$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26
add a comment
|
$begingroup$
This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.
Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
$endgroup$
This home-made construction is pointless and unnecessarily complex, Complexity is often the source of vulnerabilities. In this case, for example, I’ll wager you’re not securely handling the intermediate variables as you chain the multiple password hashes together.
Simply use argon2 only and increase the work factors. “Double scrypt” is fairly meaningless as scrypt also has work factor parameters which can simply be increased.
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
answered Jul 7 at 8:55
rmalayterrmalayter
2,01312 silver badges23 bronze badges
2,01312 silver badges23 bronze badges
3
$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose♦
Jul 7 at 15:31
3
$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41
1
$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51
$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52
$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26
add a comment
|
3
$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose♦
Jul 7 at 15:31
3
$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41
1
$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51
$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52
$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26
3
3
$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose♦
Jul 7 at 15:31
$begingroup$
Why should they pass the output of a key agreement process to Argon2 instead of something like HKDF? Even if passwords were the source of secrecy in the private ECC keys, then using Argon2 on the shared secret is still applying password hashing to the wrong part of the process.
$endgroup$
– Ella Rose♦
Jul 7 at 15:31
3
3
$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41
$begingroup$
Although I upvoted this answer, I just noticed now that it's wrong. OP does not need to "simply use Argon2". As @EllaRose says, he should be using HKDF if he needs a KDF, not a PBKDF.
$endgroup$
– forest
Jul 8 at 0:41
1
1
$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51
$begingroup$
I too upvoted and am not removing my vote, despite the current situation where your answer(@forest) below is better and has significantly lower score. I wouldn't say the answer here is wrong, but it catches only part of the mistake.
$endgroup$
– Meir Maor
Jul 8 at 6:51
$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52
$begingroup$
I assumed the “shared secret” was a password used for authenticating the key exchange, not the result of the key exchange. I guess I misunderstood the home-grown protocol. If there’s no authentication of the KEX that’s another major problem.
$endgroup$
– rmalayter
Jul 8 at 21:52
$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26
$begingroup$
@ramalaytor (replying to comment), When Alice wishes to communicate with Bob, she will generate ephemeral ECC keys. Her ephemeral public key will be signed with her permanent private key. This will be known to Bob, so he can verify Alice's ephemeral public key. I am using ephemeral ECC keys to maintain forward secrecy.
$endgroup$
– SamG101
Jul 13 at 13:26
add a comment
|
$begingroup$
You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.
You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.
This is why it's so important to use a ready-made library that does all this for you.
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
$endgroup$
$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35
$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36
$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39
$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39
add a comment
|
$begingroup$
You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.
You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.
This is why it's so important to use a ready-made library that does all this for you.
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
$endgroup$
$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35
$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36
$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39
$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39
add a comment
|
$begingroup$
You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.
You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.
This is why it's so important to use a ready-made library that does all this for you.
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
$endgroup$
You are using the KDF wrong. The only purpose of Argon2 and scrypt (and related constructions like bcrypt and PBKDF2) is to slow down dictionary and brute force attacks against passwords created by humans. Using it on a randomly generated key exchanged using ECC is improper as the key is strong.
You are using salts wrong. The purpose of a salt is to mitigate rainbow table attacks and make parallel attacks against multiple users' passwords more difficult. It is not a magic dust that you sprinkle on your cryptosystem to make it more secure. For a randomly generated key, you don't need a salt.
This is why it's so important to use a ready-made library that does all this for you.
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
answered Jul 8 at 0:37
forestforest
8,4471 gold badge29 silver badges62 bronze badges
8,4471 gold badge29 silver badges62 bronze badges
$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35
$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36
$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39
$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39
add a comment
|
$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35
$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36
$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39
$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39
$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35
$begingroup$
Ok, so I should just use a fast hashing algorithm (like sha3) to convert the shared secret from the ECC key exchange into the correct format for the AES encryption
$endgroup$
– SamG101
Jul 8 at 7:35
$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36
$begingroup$
@SamG101 Yes, SHA-3 (or SHA-2) are fine. You only ever want Argon2 for user passwords.
$endgroup$
– forest
Jul 8 at 7:36
$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39
$begingroup$
Ah ok, so I would only use Argon2 for if I was storing passwords of login accounts in a database for example
$endgroup$
– SamG101
Jul 8 at 7:39
$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39
$begingroup$
@SamG101 Yes, or if you were deriving a disk or file encryption key from a user password.
$endgroup$
– forest
Jul 8 at 7:39
add a comment
|
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71801%2fpassword-hashing-security-using-scrypt-argon2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
$begingroup$
are you applying Argon2 on a random key from key exchange? That seems pointless. You should have sufficient randomness in the key to begin with, if it just comes out the wrong shape, a simple fast hashing algorithm will bring it to be the size you want for AES key. KISS
$endgroup$
– Meir Maor
Jul 7 at 9:36
1
$begingroup$
@SamG101 When we start learning about cryptography we tend to make two common mistakes: first, "I can invent my own stuff that will be amazing" (amazing to us), and secondly, "more is better and more complex is better". Strike two.
$endgroup$
– Patriot
Jul 8 at 4:23
$begingroup$
@Meir Maor, ok I will use sha3 to convert the shared secret into the correct format for AES encryption, as it is a fast hashing algorithm. However, sha3 doesn't produce the correct length key, so is it advised to truncate a hash or use a HKDF to produce a key of the correct size? Cheers
$endgroup$
– SamG101
Jul 13 at 13:29
$begingroup$
you can safely truncate sha3 for the purpose of producing an encryption key provided the input for sha3 had sufficient entropy to it(at least the size of the key) and in your case that should be the case.
$endgroup$
– Meir Maor
Jul 13 at 14:36