Argon2 for both password storage and key derivation












4














Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    8 hours ago










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    8 hours ago












  • There is a small calculation here
    – kelalaka
    8 hours ago










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    8 hours ago










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    8 hours ago


















4














Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    8 hours ago










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    8 hours ago












  • There is a small calculation here
    – kelalaka
    8 hours ago










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    8 hours ago










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    8 hours ago
















4












4








4


1





Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Is using Argon2 for both password storage and key derivation secure? I'm planning on using different salt values, of course.



The basic concept is something like this:



Alice has some secret data ($data_e$) on her account. It's encrypted with an Argon2 derived key from her password, using a random salt.



$$ k = operatorname{Argon2}(text{password}, text{salt}_1, text{iteration})$$
$$ text{data}_e = operatorname{E}_k(text{data})$$



Alice's password is stored as an Argon2 derived key from her password, using a random salt. When Alice (or an adversary) wants to log in, a key is derived from the input using Alice's password salt and checked for a match.



$$text{storedPWD} = operatorname{Argon2}(text{password}, text{salt}_2, text{iteration})$$




  1. Should the secret data be encrypted with Alice's raw password?

  2. Should her data to be encrypted with a random key encrypted with her raw password? With a key derived from her password?


You should assume that Alice is a trained system administrator who understands the risk of having a weak password. The password will have at least 12 characters, will include capital and small letters and have numbers.



Also assume that the login system is bruteforce-resistant, but think about the possibility of a database breach.



Thanks in advance.







password-hashing password-based-encryption argon2






share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 7 hours ago









Ella Rose

15k44179




15k44179






New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 8 hours ago









John

236




236




New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    8 hours ago










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    8 hours ago












  • There is a small calculation here
    – kelalaka
    8 hours ago










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    8 hours ago










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    8 hours ago




















  • The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
    – kelalaka
    8 hours ago










  • The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
    – John
    8 hours ago












  • There is a small calculation here
    – kelalaka
    8 hours ago










  • Nice. That pretty much means that a bruteforce attack is not even feasible.
    – John
    8 hours ago










  • But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
    – kelalaka
    8 hours ago


















The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago




The only problem I can see; if the password is really bad, then one can use the login system to to brute-force the password and then use the Argon2 and $salt_2$ to decrypt the data. You should not use the password directly as a key for encryption. The key must be derived with good iterations.
– kelalaka
8 hours ago












The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago






The users will be mostly system administrators who will be trained and made aware of the risks of using a weak password - the possibility of leaking their top secret data. The password will have to have minimum 12 characters. Let's also assume the login system is resistant to bruteforce attacks, but let's also consider the possibility of a database breach.
– John
8 hours ago














There is a small calculation here
– kelalaka
8 hours ago




There is a small calculation here
– kelalaka
8 hours ago












Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
8 hours ago




Nice. That pretty much means that a bruteforce attack is not even feasible.
– John
8 hours ago












But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
8 hours ago






But you need to set max to 12, See some computation powers from here, and remember you need to divide this numbers by the iteration.
– kelalaka
8 hours ago












2 Answers
2






active

oldest

votes


















5















Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:




  • Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.

  • Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.






share|improve this answer





















  • Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
    – John
    5 hours ago






  • 1




    @John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
    – Gilles
    4 hours ago












  • Ah, thank you for the explanation. I get it now.
    – John
    4 hours ago










  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    3 hours ago





















2














Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.






share|improve this answer





















  • That's what I thought. Thanks.
    – John
    7 hours ago










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    7 hours ago






  • 2




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    7 hours ago













Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






John is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66161%2fargon2-for-both-password-storage-and-key-derivation%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









5















Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:




  • Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.

  • Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.






share|improve this answer





















  • Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
    – John
    5 hours ago






  • 1




    @John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
    – Gilles
    4 hours ago












  • Ah, thank you for the explanation. I get it now.
    – John
    4 hours ago










  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    3 hours ago


















5















Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:




  • Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.

  • Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.






share|improve this answer





















  • Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
    – John
    5 hours ago






  • 1




    @John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
    – Gilles
    4 hours ago












  • Ah, thank you for the explanation. I get it now.
    – John
    4 hours ago










  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    3 hours ago
















5












5








5







Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:




  • Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.

  • Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.






share|improve this answer













Should the secret data be encrypted with Alice's raw password?




As a general rule of thumb:
A password should only ever be feeded into a password hashing scheme (PHS) such as Argon2, scrypt or bcrypt, never into anything else!



There are multiple reasons for this:




  • Passwords need special processing in the form of complexity parameters.

  • Passwords need external (high-entropy) sources of uniqueness / randomness to be mixed in.

  • Passwords should be allowed to be long and variable-length, most cryptographic primitives have very specific expectations on key lengths.

  • Passwords usually aren't randomly uniformly distributed bit strings (eg the highest bit is rarely set), which most encryption algorithms assume for their keys.



Should her data to be encrypted with a random key encrypted with [...] a key derived from her password?




Yes. Another good rule of thumb is:
Only ever perform one password hashing per user, but give it all the resources you can spare.



The idea behind this is:




  • If you chain derivations and an attacker can validate whether they got the correct value for an intermediate stage, they only need to compute the last stages once, instead of once for all passwords.

  • If you don't expose intermediate values, you effectively created a new composite hashing scheme.

  • If you perform two independent derivations, you are likely to lower the resources required for each individual one and it is sufficient for the adversary to only break the weakest one and get the other one(s) "for free".




The rest is similar to smrt28's answer:




  • Encrypting a high-entropy key with a password-derived key allows your users to change the password without you having to re-encrypt the entire data, which may be costly in terms of CPU-time and I/O-time if you have a lot of data.

  • Additionally, if you use authenticated encryption (AE) using the derived key for the high-entropy key, you essentially get secure password confirmation "for free", as the scheme will very clearly report an error if the password and thus the derived key is wrong. Additionally, you can cryptographically bind derivation parameters like salt and iteration count to successful decryption using the associated data input of most AE schemes.







share|improve this answer












share|improve this answer



share|improve this answer










answered 5 hours ago









SEJPM

28.2k553132




28.2k553132












  • Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
    – John
    5 hours ago






  • 1




    @John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
    – Gilles
    4 hours ago












  • Ah, thank you for the explanation. I get it now.
    – John
    4 hours ago










  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    3 hours ago




















  • Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
    – John
    5 hours ago






  • 1




    @John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
    – Gilles
    4 hours ago












  • Ah, thank you for the explanation. I get it now.
    – John
    4 hours ago










  • Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
    – forest
    3 hours ago


















Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
5 hours ago




Great! I just have an issue understanding your last point, about authenticated encryption. Would you mind editing the answer to explain that point a bit further, maybe even give a practical example? I can't quite wrap my head around it. Thanks!
– John
5 hours ago




1




1




@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago






@John Let H = Argon2(password, salt). Use H as an AE key to protect k. When someone logs in as Alice, you calculate H and attempt to decrypt the encrypted copy of k. This returns k if the password is correct and “authentication failure” otherwise.
– Gilles
4 hours ago














Ah, thank you for the explanation. I get it now.
– John
4 hours ago




Ah, thank you for the explanation. I get it now.
– John
4 hours ago












Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago






Small nitpick, but I wouldn't necessarily say a password should only be fed into a password hashing scheme in the case of bcrypt, since it has a limited input size of iirc 72 bytes. It would be best to first hash the password with, say, SHA-1 and then send the (encoded, to avoid null bytes) hash to bcrypt.
– forest
3 hours ago













2














Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.






share|improve this answer





















  • That's what I thought. Thanks.
    – John
    7 hours ago










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    7 hours ago






  • 2




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    7 hours ago


















2














Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.






share|improve this answer





















  • That's what I thought. Thanks.
    – John
    7 hours ago










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    7 hours ago






  • 2




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    7 hours ago
















2












2








2






Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.






share|improve this answer












Try to think like a hacker...



Consider the hacker got control over the storage and consider Alice has a relatively weak password. Relatively weak in this context means the hacker cannot break it by brute force from Argon2 hash, but he can break it if he got just a basic single (for instance) SHA256 hash.



If you encrypt Alice's data by the password, the hacker can crack the data by brute force (brute force breaking AES is as easy/hard as breaking SHA256). Also, there is a disadvantage that if Alice changes her password, you would have to re-encrypt her data.



If you encrypt a random master-key by the password and use the master-key to encrypt Alice's data, there is no difference in security, just you don't have to re-encrypt data if Alice changes her password. You would have to re-encrypt just the master-key.



If you encrypt a random master-key by storedPWD, then the hacker has the key available easily in the database.



IMO you should calculate two Argon2 hashes with a different salt each and use one to verify a password, the second one to encrypt data.







share|improve this answer












share|improve this answer



share|improve this answer










answered 7 hours ago









smrt28

52146




52146












  • That's what I thought. Thanks.
    – John
    7 hours ago










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    7 hours ago






  • 2




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    7 hours ago




















  • That's what I thought. Thanks.
    – John
    7 hours ago










  • Breaking SHA256 you mean find a pre,second-preimage?
    – kelalaka
    7 hours ago






  • 2




    I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
    – John
    7 hours ago


















That's what I thought. Thanks.
– John
7 hours ago




That's what I thought. Thanks.
– John
7 hours ago












Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago




Breaking SHA256 you mean find a pre,second-preimage?
– kelalaka
7 hours ago




2




2




I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago






I'm pretty sure they meant bruteforcing the SHA256 hash because SHA256 is a fast hash function and a lot of combinations can be tested quickly.
– John
7 hours ago












John is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















John is a new contributor. Be nice, and check out our Code of Conduct.













John is a new contributor. Be nice, and check out our Code of Conduct.












John is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66161%2fargon2-for-both-password-storage-and-key-derivation%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

What visual should I use to simply compare current year value vs last year in Power BI desktop

How to ignore python UserWarning in pytest?

Alexandru Averescu