An Early Christmas Present From OpenSSL: Some Argon
An Early Cybersecurity Christmas Present From OpenSSL: Some Argon
As you may know OpenSSL — with Heartbleed — nearly broke the Internet. But, it is a program which is fundamentally important to the security and trust of the Internet, and is still used by the majority of Web site to implement cryptographic operations. Overall, though, it can be a little slow to move and has only made it to Version 3. Now, though, we see the release of 3.2.0, and which brings many new features, including post-quantum methods, Brainpool curves and QUIC:
One of the cool new additions is the integration of Argon, and which focuses on bursting the GPU cracking of passwords.
Argon2 was designed Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich, and is a key derivation function (KDF), where were we can create hashed values of passwords, or create encryption keys based on a password. It was a winner of the Password Hashing Competition in July 2015, and is robust against GPU and side channel attacks [paper]. Argon2d uses a data-dependent approach to memory access, and Argon2i uses a data-independent approach. Argon2id is a hybrid construction.
Did you know that every eight character password (in lowercase) is cracked by brute force within less than 10 seconds? And if you use a 9 character password it takes less than 10 minutes to crack them (using lowercase letters)? Adding a number to the end, or making the first letter uppercase makes very little difference in the cracking challenge [here]
Argon is resistant to GPU attacks, and also has a memory cost. These costs include: execution time (CPU cost); memory required (memory cost); and degree of parallelism. The parameters include:
- Password (P): Defines the password bytes to be hashed
- Salt (S): Defines the bytes to be used for salting.
- Parallelism (p): Defines the number of threads that are required for the parallelism.
- TagLength (T): Define the number of bytes to return for the hash.
- MemorySizeKB (m): Amount of memory (in KB) to use.
A sample benchmark using n (for time cost), p (for parallelism) is:
We can see that for an n value of 128, the time to compute a hash value is 0.105 seconds (which would give a hashing function of just 10 hashes per second), but for 8,192 it is 5.78 seconds (which is probably too long for a user login). We must thus select a cost value which gives a reasonable time to compute, but is also robust against attacks. The message (m) is defined in log2(m), and where, in this case, m is 28 bytes [full test].
For example, if we use OpenSSL 3.2, we get [here]:
Command: openssl kdf -keylen 24 -kdfopt pass:Hello -kdfopt salt:NaCl1234
-kdfopt iter:1 -kdfop memcost:8192 ARGON2I
Password: Hello
KDF: ARGON2
Salt: NaCl1234
Length: 24
Iterations: 1
Memcost: 8192
-----------------
ARGON2I
C9:E0:66:9A:E4:F1:C7:79:2A:C4:08:6F:A8:50:44:D8:C1:3C:90:28:EC:8E:9C:71
ARGON2D
1A:B4:4F:40:F4:AA:21:AC:F1:34:42:11:57:E2:85:AC:65:89:AB:D3:2F:34:63:23
ARGON2ID
58:3A:A9:A0:28:60:F8:3B:08:B4:F9:1D:2D:81:EF:70:D5:4E:90:EA:2F:1F:83:1DIf you want to try your own, try here: