What's Up Argon2? The Password Hashing Winner A Year Later - JP Aumasson

wanted to say that for the past two months approximately I've been crying myself to sleep every every single night because this is the first time I do password col when I'm actually not doing a talk myself um and that is because this year we had so many excellent submissions uh and there are also backup speakers that um will try to fit them into the schedule because we do we we have synchronized completely with the rest of B sites as you've seen in the progr prog uh and there are breaks in her so you will be able to get lunch and so on and I don't really get the point of that you know you you know you can

easily survive until Thursday and we have password to discuss so uh later today and also one one a half hour breaks I will insert uh at least one additional talk I will put out on Twitter I will also announce it in here when I know um uh who will be speaking and and exactly when but will be some additional talks as well so having said that I'm going to introduce you to uh jpon from uh kuski security and his talk what's up Aron too and I got to ask JP yeah is you know is this going to be a lot of cryptography a lot of equations in math so if you don't like math please leave the room no just

kidding and a kittens uh S no kittens okay well yeah I'm not no kittens yeah so how you know uh let's give a small Applause to I can Dan or all right uh hello good morning so I'm happy to be here again um so I talk about AR 2 so who knows what ar2 is oh quite a few people who use ar2 come on you're in the right room that's going to be a super short talk like know 20 minutes or so but I want to borrow you the equations uh you probably heard about the passord competition so if you did not uh may have heard about the as competition like 15 years ago or the US government uh

pick the a standard by selecting it from bunch of algorithm submitted by researchers so that's what same kind of process that we run between 2013 and 2015 so we got a group of people like software Engineers password crackers cryptographers and we asked the community to submit their designs algorithms that code and and we we Val it we tried to figure out how secure our submissions how fast are serious and so in 2015 we we decided that doino would be ar 2 oops um the hash function that I will present today and so it's been about a year and I will present what has been happening for this year all right so maybe besides the fact

that we pick T to which is the best password rush in the world from my point of view uh I think we also motivated researchers uh to care about pass crushing cuz nobody really cared about research and passwords before was about cracking passwords so that's nice that's a fun topic but you also need some you know different approach try to think about what's the best what the optimal way to build a password hashing algorithm instead of just cracking md5 is sh one for the rest of your life so now we got argum to uh why did we pick not the others there were plenty of very good submissions uh so it's secure but there were also some other secure submissions

uh it one because we wanted people to use it we just it's not an academic context it's not a beauty contest it's an engineering contest and one of the criteria was usability and ux and user friendliness so it's pretty much simple it's easy to use I hope so I'll hope to convince you that as through uh so who's behind it's not me it's some people from Luxembourg some very well established cryptographers Alex bov who's been leading the lab for couple years now Daniel duu and Movic who is the the lead designer of fragon 2 all right so how does this work um yeah have no no math no no equations um first of all you take your

your password you take a salt uh you take a bunch of parameters and you hash everything using some cryptographic hash functions like a gen general purpose cryptographic hash it happens to be blaz and Blake to but you could use any har function you want so that you get a value called H and what you're going to do you're going to allocate a bunch of memory a table um of two Dimensions bunch of rows a bunch of columns and this size will depend on the memory parameter that you choose so if you want this table to be just 1 k it would be 1 kiloby but you can make it up to 1 gig or even more you

can make it I don't know 10 terabytes if You' like so using your value H that depends on the password so you can't determine H if you don't have password you will fill the huge table you will Feit the the First Column the second column the third colum and so on and so forth but sequentially so to feel the the end colum you need to know the the the column that comes before so that's super simple um so how does it work you have blocks in this table so like I said they will all depend on H on the password all right uh so when you f one colum it depends on the previous column but also

depends on another block I'll explain later on what what it means and then you repeat it several time you fill the you fill the table once you fill it twice how many times you want so if you want the hash to be slower you feel how you will fill the table more times if you want it to be faster you will fit only once um so that's it that's how how it works I try to make it simple but uh you don't have all the details you look up the specs if you want like all the NY details all right so there's two versions of argon argon 2 d d for dependent and Aron 2 I for

independent uh in the previous slide remember that I said that when you f table the value depends on another Block in the table so in AR 2D this block will depend on the password it will Al always be it will be a different index it will be a different address in memory if you have different passwords in agon 2i it's independent so whatever password you choose the address in the table will be the same for every block that you that you compute uh so you see where I'm going if you have a memory address that depends on the password you got uh memory access that depends on your secret and if you can monitor the memory accesses then it

giv you some side chain information on the password so more precisely it gives you information on the the hash of the password the small H value and if you can figure out the full value of H or even small part of it it can allow you to correct password much much faster so the up here is that if in your thre model if you care about sension attacks about software stion attacks you should pick Aron 2D where s attacks 2 I sorry where s attacks will not be relevant so what's the advantage of Ron 2D the weakest one with respect to S attacks is that you get a better uh security Against Time M tradeoff attacks

I will talk about it bit later uh now how fast it is so it depends it depends on your CPU it depends on the parameters depends a lot of thing but to give you an example if you take Aron 2D with 250 Megs on a single core takes approximately AIO of 100 milliseconds AR 2 I with one gig of memory in two course it's about half a second but you should not rely too much on this kind of estimate you should run it yourself on your machine on the platform where you reash the password and measure the time things and figure out which one is the best for for your application uh so what the application

going to not sure when this slides pretty much obvious we need to stop passws to derive keys from either passws or any lowy token and as proof of work um obviously there's already Alco that uses R12 okay so let say you want to use it you good news that you don't have to implement it yourself uh the Cod is already out there then we have a nice reference carde in C C9 89 it works on Linux on any BSD on Windows you just download it you clone it make and it gets you static Library share library and the common light utility that will let you uh Benchmark to on your machine so there's no patent and no

strict IP it's essentially public domain say C license and we've get bindings for python Lua go Java all the usual languages so it's been yeah less than less than a year since we we started this it's based on the C++ code of the designers uh we quickly figured out they were not using any real C++ features so we turn it into into C it got pretty popular now we've got more than th000 stars on on GitHub more than 400 comments more than 90 poll requests issues too so the card was quite um well was not so good a year ago but now it's much much better so now I can recommend you to to use it so i' like to thank

everyone who contributed to AR 2 um Samuel M me and other guys uh some people even start to use it lip sodium which is maybe the one of the best crypto libraries and one of my favorites the default password hash in lipo is now AR to so thanks to FR for pushing this in lip sodium uh there's a dbn package that provides you with a library and the common line utility to use AR to so that you don't have to build it yourself or to implement it yourself um so now the yeah the El in the room why using Aron 2 and not something else um so there's no no simple and square but uh I will only compare to to

script or script is the used to be the the state of the art B for has before we did this but one of the reasons uh would it be a that we were not satisfied with script so script is good it kind of does a job it us a lot of memory but if you ever try to use script you know that it's not easy to use uh you get a bunch of parameters not very clear what they're doing you can make it bigger you can maybe use more memory but for instance you don't have a time parameter that makes it slower without making bigger that's inconvenient if you want to make it slower without using

more memory and like in AR to we have two versions one data independent and one data dependent so in script you don't have data independent mode that's another limitation and finally uh if you look at the the algorithm itself so it's pretty weird because you have a password hash script but inside you're using another passage using ppf2 and the HM construction and Sh 256 and you also need a stream Cipher you need Sala 20 so we need lot of stuff lot of C lot of C tobg it's not very um elegant where n going to it's much simpler you just need the core function of Blake two and that's that's it also we've got for my point of view

uh a more relable security analysis of frun 2 so simpen four parts the first one is how strong it is with respect to CTIC attacks stuff like differential attacks um that you have like on block ciphers or Stream ciphers So maybe last week someone told me yeah you know I don't want to recommend Aran to because we got to wait maybe another two or five years before we we confident that secure I was like well you know it is Blake two uh it it iterates you know Blake two maybe you know do of times and even if it's only iterated 10 times we don't know how to break it and we're super confident that it's secure so this should really be the

least of your wor know Crypton analyses um so I view it as security not as performance uh inefficiency on gpus as fpgas um the what de to designers uh did they try to make the algorithm as fast as possible on your uh on your machine and as slow as possible on the bad guys machine so of course they did it um when they did it like last year in 10 years it might be different but what it means today is that it's optimized for the X6 architecture for the recent micro architectures where you have SMD operations and it exploits multicore multi threading you can ask Aron 2 to use as many threads as you want so if

you have like four course on your CPU you may want to use the full four course and the point of using lot of memory is obviously to make it much more expensive uh for the ASX for Hardware circuits right uh side CH resistance uh like I said it's only software side chns mostly everything that's related to GX to I so where the memory access are independent from the secrets so it's time constant it's always takes the same number of operations to has buw um and the memory address is always the same which mean that's secure against this kind of attack and I going do two D is not okay uh last part maybe the most

interesting one from a researchers point of view uh not the easiest to Hest understand so I won't go into full details but I will just summarize the two major papers that came out earlier this year so the point of this kind of attack is to compute the harh function result by using less memory than intended by the design so like if you say Okay I want to to use one gig of memory and if you can compute the result with just one Meg then something's really really wrong okay and same for time so the first paper came out is this one by a team from um Stanford so probably D Dan Bon uh they very uh Brant

walk from my point of view they were like okay we have these guys playing with SP function they don't know what doing okay let's solve the problem that how I I saw it uh they got 50 more than 50 pages of analysis they got a new a new design called balloon hushing and they showed that was really surprising to us they show that you could compute uh for certain parameters the result of Aron 2i by using four times less memory in some specific settings that were not the recommended settings we had in in the paper but still that was that was something so we we modified a bit the design generary and now it's totally

immune to this kind of attack so if you read the paper for this the first two or three pages it's really really good uh second one about one month later uh it's maybe even more complicated it's a bit shorter but the con a new metric so you when you try to compute how hard is for an attacker you want to find how expensive it is um so it's not s of expensive you formalize it uh by using some formal notion so mathematical notion so what we used to do is to consider the at Matrix which is essentially the time multiplied by the space the point was that there would be a more realistic metric which was the

energy consumption to make it very short So based on this observation they try to find new attack asto Astic attacks so which are attacks on the design um well as function of its size but not on specific instances okay so I won't Bor you with mathematical details it's pretty uh uh difficult to follow but the point was that uh if you see it as a mathematical object asymptotically for very high values of the parameters there are some attacks that may be better than what we know okay uh conclusion it doesn't matter in practice it's theoretically interesting but there's no impact on the actual as okay uh so I'm almost done uh so I convince you that aru AR to is so

good so we try to convince people at the irtf to who are running the St process for ITF uh there's an internet dra that is out here you can check it out um and one of the goals is probably to make an RFC or to to give it a more uh official status and to encourage people to to use it so I don't really know what is um n position at the moment I understood that they have maybe other priorities but I don't exclude that at some point n may decide to to include agu as a as Federal standard all right so short conclusions um R2 is the best password has in the world if you will we understand well

where it's good where it's better than the previous approaches and we understand it limitations for example such tax now we can check out the current GitHub it's uh production ready and you also have bindings for any languages so you can using any application you want if you have any question any uh request any thing you'd like to discuss with you can either send me an email directly or even better register to the mailing list and email the mailing list thank you very much [Applause] D easy but still there might be questions for JP raise your

hands you mentioned the implementation was optimized for x86 architecture I'm thinking of uh putting it into apps running on uh phone devices which would be more arm architecture uh any research or looking at how well that would be would work or is it still a recommended choice in that situation uh the question is about uh is it qualy to to look at arm implementations of r two uh actually the Implement is just uh c89 we don't have um um assembly implementations uh neither for AR or for other architectures it should compile on arms uh I don't know if it uh if it's wor lot of uh I'm optimizations I'm really not sure maybe you you want to discuss this with

us so if I interpreted you correctly uh in a situation where have uh Network log on and malicious attacker uh monitoring the traffic and doing timing attacks would that be a situation where they are going to I is a better choice of algorithm uh okay so the question is essentially if remote timing are possible on R 2 um well we seen that on other piece of software timing attacks that were assumed to be only feasible locally they not to be feasible remotely uh so I wouldn't make any claim on the uh resistance to remote timing I mean tax and you should probably go with the what happen to it more questions oh Jeff come on yeah okay well okay so okay well you

were late Jeff so all first so have you made any effort to get this into some of the common um key um password manager program particularly key pass which is a an open source project try to push it in popular password managers um will not maybe we will yeah well we we can we we can give that question to we have Jeff Goldberg from agile bits produces a one password in the audience so Jeff yeah you can give him an Applause as well that's that's okay Jeff ion two in one password please well um uh we've got I mean I we'd love to obviously um but some of clients that we use there's just no way to get it in

there yet we're still dependent on pbkdf2 yeah um just given the particular platform I stop using when B and go for a keep I'm kidding so so so I have to admit that but actually what my question was kind of for all of those people who said that they were familiar with argon 2 and not using it uh is kind of why you know are they in the same position that I'm in as a got one platform where we need to do it in JavaScript um well I guess they heard about it but they don't get to choose a b

okay so I guess it's not this is more of a statement than a question but um you know I wasn't using argon 2 a year ago CU I didn't really like the code I didn't know that done a sort of a reimplementation of it so that's great but you know there's argon 2 is highly tunable so why don't you just tune down the memory parameters a little bit and you can it should still be strictly Superior to P you know the password based key derivation function yeah whatever it's easier to pronounce then yeah sure so you know just tune the parameters down and and it should be a viable replacement yeah more questions none one no Z just GNA say it should be

replacement just because it's quicker to say Steve here we go so you said that uh script can't be well SC script uh can't be uh slowed down yeah I know what you're going ask not P parameter P parameter yeah but it makes it slower but but it increases the parm so if you don't want to be more par if you want to be F serial if you just huh I mean p is a parm so if if it's larger then you can Pary it even better than well all it does so uh the way P works is the so you have the setting for uh however much memory yeah then um that like block is just repeated

multiple times you can do them sequentially or all at the same time with more memory obviously but it is a way to make it slower yeah it's not clear from the it it is very not clear because you know thanks for correcting me okay more questions well then I would just say thank you JP no thank you br thank you uh