Argon2 for both password storage and key derivation












4














Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    Dec 29 '18 at 20:43










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    Dec 29 '18 at 20:46












  • There is a small calculation here
    – kelalaka
    Dec 29 '18 at 21:03










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    Dec 29 '18 at 21:09










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    Dec 29 '18 at 21:11


















4














Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    Dec 29 '18 at 20:43










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    Dec 29 '18 at 20:46












  • There is a small calculation here
    – kelalaka
    Dec 29 '18 at 21:03










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    Dec 29 '18 at 21:09










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    Dec 29 '18 at 21:11
















4












4








4


1





Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.







password-hashing password-based-encryption argon2






share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Dec 29 '18 at 21:23









Ella Rose

15.3k44279




15.3k44279






New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Dec 29 '18 at 20:29









John

236




236




New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    Dec 29 '18 at 20:43










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    Dec 29 '18 at 20:46












  • There is a small calculation here
    – kelalaka
    Dec 29 '18 at 21:03










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    Dec 29 '18 at 21:09










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    Dec 29 '18 at 21:11




















  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    Dec 29 '18 at 20:43










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    Dec 29 '18 at 20:46












  • There is a small calculation here
    – kelalaka
    Dec 29 '18 at 21:03










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    Dec 29 '18 at 21:09










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    Dec 29 '18 at 21:11


















The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
Dec 29 '18 at 20:43




The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
Dec 29 '18 at 20:43












The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
Dec 29 '18 at 20:46






The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
Dec 29 '18 at 20:46














There is a small calculation here
– kelalaka
Dec 29 '18 at 21:03




There is a small calculation here
– kelalaka
Dec 29 '18 at 21:03












Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
Dec 29 '18 at 21:09




Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
Dec 29 '18 at 21:09












But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
Dec 29 '18 at 21:11






But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
Dec 29 '18 at 21:11












2 Answers
2






active

oldest

votes


















6















Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be fed into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:



Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.



Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.

So in formulas: $text{derKey} = operatorname{Argon2}(text{password}, text{salt}, text{iteration}), c=operatorname{AE}_{text{derKey}}(text{MK})$ and now if one tries to decrypt with the wrong password, the AE-scheme will report an authentication failure as the key is wrong and if it is right, it will just return the correct master-key.






share|improve this answer























  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    2 days ago





















2














Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.



I think the best solution would be: x=Argon2(password) and then store SHA256(x || salt1) in database and use it for password verification, SHA256(x || salt2) for encryption. Or even better, Argon2 has the result length as a parameter. Just instead of 256 bits let Argon2 derive 512 bits and use first 256 for password verification and the second 256 for encryption.






share|improve this answer























  • That's what I thought. Thanks.
    – John
    Dec 29 '18 at 21:33










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    Dec 29 '18 at 21:33






  • 3




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    Dec 29 '18 at 21:39













Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






John is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66161%2fargon2-for-both-password-storage-and-key-derivation%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









6















Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be fed into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:



Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.



Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.

So in formulas: $text{derKey} = operatorname{Argon2}(text{password}, text{salt}, text{iteration}), c=operatorname{AE}_{text{derKey}}(text{MK})$ and now if one tries to decrypt with the wrong password, the AE-scheme will report an authentication failure as the key is wrong and if it is right, it will just return the correct master-key.






share|improve this answer























  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    2 days ago


















6















Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be fed into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:



Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.



Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.

So in formulas: $text{derKey} = operatorname{Argon2}(text{password}, text{salt}, text{iteration}), c=operatorname{AE}_{text{derKey}}(text{MK})$ and now if one tries to decrypt with the wrong password, the AE-scheme will report an authentication failure as the key is wrong and if it is right, it will just return the correct master-key.






share|improve this answer























  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    2 days ago
















6












6








6







Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be fed into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:



Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.



Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.

So in formulas: $text{derKey} = operatorname{Argon2}(text{password}, text{salt}, text{iteration}), c=operatorname{AE}_{text{derKey}}(text{MK})$ and now if one tries to decrypt with the wrong password, the AE-scheme will report an authentication failure as the key is wrong and if it is right, it will just return the correct master-key.






share|improve this answer















Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be fed into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:



Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.



Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.

So in formulas: $text{derKey} = operatorname{Argon2}(text{password}, text{salt}, text{iteration}), c=operatorname{AE}_{text{derKey}}(text{MK})$ and now if one tries to decrypt with the wrong password, the AE-scheme will report an authentication failure as the key is wrong and if it is right, it will just return the correct master-key.







share|improve this answer














share|improve this answer



share|improve this answer








edited 2 days ago

























answered Dec 29 '18 at 23:25









SEJPM

28.2k553132




28.2k553132












  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    2 days ago




















  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    2 days ago


















Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
2 days ago






Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
2 days ago













2














Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.



I think the best solution would be: x=Argon2(password) and then store SHA256(x || salt1) in database and use it for password verification, SHA256(x || salt2) for encryption. Or even better, Argon2 has the result length as a parameter. Just instead of 256 bits let Argon2 derive 512 bits and use first 256 for password verification and the second 256 for encryption.






share|improve this answer























  • That's what I thought. Thanks.
    – John
    Dec 29 '18 at 21:33










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    Dec 29 '18 at 21:33






  • 3




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    Dec 29 '18 at 21:39


















2














Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.



I think the best solution would be: x=Argon2(password) and then store SHA256(x || salt1) in database and use it for password verification, SHA256(x || salt2) for encryption. Or even better, Argon2 has the result length as a parameter. Just instead of 256 bits let Argon2 derive 512 bits and use first 256 for password verification and the second 256 for encryption.






share|improve this answer























  • That's what I thought. Thanks.
    – John
    Dec 29 '18 at 21:33










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    Dec 29 '18 at 21:33






  • 3




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    Dec 29 '18 at 21:39
















2












2








2






Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.



I think the best solution would be: x=Argon2(password) and then store SHA256(x || salt1) in database and use it for password verification, SHA256(x || salt2) for encryption. Or even better, Argon2 has the result length as a parameter. Just instead of 256 bits let Argon2 derive 512 bits and use first 256 for password verification and the second 256 for encryption.






share|improve this answer














Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.



I think the best solution would be: x=Argon2(password) and then store SHA256(x || salt1) in database and use it for password verification, SHA256(x || salt2) for encryption. Or even better, Argon2 has the result length as a parameter. Just instead of 256 bits let Argon2 derive 512 bits and use first 256 for password verification and the second 256 for encryption.







share|improve this answer














share|improve this answer



share|improve this answer








edited 2 days ago

























answered Dec 29 '18 at 21:21









smrt28

52848




52848












  • That's what I thought. Thanks.
    – John
    Dec 29 '18 at 21:33










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    Dec 29 '18 at 21:33






  • 3




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    Dec 29 '18 at 21:39




















  • That's what I thought. Thanks.
    – John
    Dec 29 '18 at 21:33










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    Dec 29 '18 at 21:33






  • 3




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    Dec 29 '18 at 21:39


















That's what I thought. Thanks.
– John
Dec 29 '18 at 21:33




That's what I thought. Thanks.
– John
Dec 29 '18 at 21:33












Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
Dec 29 '18 at 21:33




Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
Dec 29 '18 at 21:33




3




3




I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
Dec 29 '18 at 21:39






I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
Dec 29 '18 at 21:39












John is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















John is a new contributor. Be nice, and check out our Code of Conduct.













John is a new contributor. Be nice, and check out our Code of Conduct.












John is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66161%2fargon2-for-both-password-storage-and-key-derivation%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?