Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94857
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain ethreal.net designates 209.85.218.48 as permitted sender)
MIME-Version: 1.0
Sender: charlesportwoodii@ethreal.net
In-Reply-To: <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org>
References: <CAGC=tRnpka_ym=f-xsskjeiPaqahsTEAxPq9=E8Z73KQKeRrHg@mail.gmail.com>
 <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org>
Date: Fri, 5 Aug 2016 09:49:43 -0500
Message-ID: <CAGC=tR=4v0KAkqnU1Q3Fr5AeM8o_PuJfP9rYQ_s4X3=Z9UUh=w@mail.gmail.com>
To: Tom Worster <fsb@thefsb.org>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113adc3e8010080539542e56
Subject: Re: [RFC][DISCUSSION] Argon2 Password Hash
From: charlesportwoodii@erianna.com ("Charles R. Portwood II")

--001a113adc3e8010080539542e56
Content-Type: text/plain; charset=UTF-8

On Fri, Aug 5, 2016 at 9:19 AM, Tom Worster <fsb@thefsb.org> wrote:

> On 8/5/16 8:47 AM, Charles R. Portwood II wrote:
>
> The RFC is available at: https://wiki.php.net/rfc/argon2_password_hash
>>
>> .
>>
>
> Hi Charles,
>
> Thanks for doing this. I'm glad Argon2 is coming to PHP.
>

Hi Tom,

Thanks for the feedback!

You can have a longer voting period if you like, which I think would be
> a good idea.


Sounds good to me.

I think it's confusing to have two consts to identify the algorithm. I
> don't understand the analogy to PASSWORD_DEFAULT. If we only provide
> Argon2i, one const is easier. If we anticipate adding another Argon2
> algo in the future that is not backward compatible with this one then I
> don't think we would want to change PASSWORD_ARGON2 to point to it.


I agree. Originally there was PASSWORD_ARGON2I and PASSWORD_ARGON2D, with
PASSWORD_ARGON2 aliasing to PASSWORD_ARGON2I, but with Argon2d removed from
scope the extra constant is now largely unnecessary. I don't anticipate
Argon2 adding any additional algorithms at this point, given the spec and
reference library is finalized. I think for clarity, PASSWORD_ARGON2I would
be sufficient. What are your thoughts?

Finally, I wonder if it wouldn't be better if, for the time being, we
> do not provide default costs constants. Argon2 is new (as crypto algos
> go) and very early in a gradual introduction in deployments. And it is
> hard to use because of the three cost factors. Correctly tuning those
> for different machines is not yet a commonly-understood skill. (You
> even can find conflicting advice on how to tune Bcrypt's time factor.)
>


If, on the other hand, we omit the constants and require the $options
> argument then it discourages inexpert users. At the same time it
> encourages experimentation and understanding of the costs, among those
> who take an interest, which I think is just what we want.


The rationale for providing defaults is to ensure the password_* functions
remain easy to use. Assuming that at some point PASSWORD_ARGON2I (or any
new algorithm) would become PASSWORD_DEFAULT, the end user's expectations
would be that *password_hash($password, PASSWORD_DEFAULT)* just works,
without needing to specify additional arguments.

As the spec requires some minimum values to even work (and there's
recommendations from the developers [1]), I think we should be providing
defaults so that the algorithm works out of the box, though I agree they
could be set to lower values. Note that the spec does specifically say that
there is no "insecure" value for the memory and time cost attributes. If we
wanted to drop it to the minimum recommend by the developers, the values
would be:

m_cost = 16
t_cost = 2
threads = 1

I'm open to other suggestions or alternatives though.

Thanks,
*Charles R. Portwood II*

[1]: https://github.com/P-H-C/phc-winner-argon2/issues/144

--001a113adc3e8010080539542e56--