Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94887 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20013 invoked from network); 6 Aug 2016 17:56:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Aug 2016 17:56:16 -0000 Authentication-Results: pb1.pair.com header.from=charlesportwoodii@ethreal.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=charlesportwoodii@ethreal.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ethreal.net designates 209.85.218.41 as permitted sender) X-PHP-List-Original-Sender: charlesportwoodii@ethreal.net X-Host-Fingerprint: 209.85.218.41 mail-oi0-f41.google.com Received: from [209.85.218.41] ([209.85.218.41:32793] helo=mail-oi0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FF/3B-33134-DB426A75 for ; Sat, 06 Aug 2016 13:56:15 -0400 Received: by mail-oi0-f41.google.com with SMTP id j185so401594242oih.0 for ; Sat, 06 Aug 2016 10:56:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethreal.net; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=NQA/ZvtWOhKc0tScUPzdiUbEw/WZE8myKwq2sVYI7xc=; b=L/KK0jmflwGEw5WFOIlFF811VJ6ATMr5mYa70Ivy+ljtxIg4taDQ9E+mmdOX3P7yJ5 med5Czs0bmoyUZ4aMG77BeXc3XsmS2q358bePpckvKTCx5NVxHkrA1PD/vXML/jZGCLm 9dI1yAG818nDoTqLiwEqHaqy8X7cX3WjARZu4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erianna.com; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=NQA/ZvtWOhKc0tScUPzdiUbEw/WZE8myKwq2sVYI7xc=; b=ZA0TfeOtJQWEF41/91B06+nuTeqcuU7Z13dQ9PCuO0dtEVmSpTc6DqWtVa1Ibcc4x1 x44fciDUCB00hMdJrSVsIPnSTFmFOz2xPmft9RHWYD5Js/NOHP12XgrzUXsJe83X7bob hcbcJRiZ8AVPtmnGy9R7swlynbL/1ZzjGAmvk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=NQA/ZvtWOhKc0tScUPzdiUbEw/WZE8myKwq2sVYI7xc=; b=Bx4jDrl87Af5vM8/GqP92O14s1qF6vsjaZXBoICZLp6KgudYXaGY9IeyqDSKIGTuEb U/ZFgvxDHeoA2cbDINAXahb2Mjxc7E2jgaFAa1tqXorGdPHp7rNZPgKyrO/OD+GS+QOI LXvoww2C5sYRKhbakNmBTdtl1HrtLcx2Im15ALGvRekWK440l2wgKFqJwHvI469FEOhb qsmpC3Awzqna76TNIBj8SqF5S15o+a9m4OmfUuKm+jon89i1vD1HR/LpkmYK/DNRR5cp U43btavpVwf/ikr8u66N053mYq+z1H8YkLKLotfLlcGZxUWWEAxe3Giaq3L7ig3M6Hw5 eUQA== X-Gm-Message-State: AEkooutx4xjv9qE2+jjSZTxCX/0iP94MaZnJwhZsA9UM7SIel3DNw2MQLDWKy0q2BSmR+KVSVh5H5J3WwLiIQA== X-Received: by 10.157.45.80 with SMTP id v74mr11463938ota.181.1470506170895; Sat, 06 Aug 2016 10:56:10 -0700 (PDT) MIME-Version: 1.0 Sender: charlesportwoodii@ethreal.net Received: by 10.182.191.72 with HTTP; Sat, 6 Aug 2016 10:55:50 -0700 (PDT) X-Originating-IP: [2601:246:100:db51:3187:c8d7:7134:3621] In-Reply-To: <05cf17898a22abc41664004ef8731342@k-piste.dy.fi> References: <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org> <9d2ef6f3a84333f35ebcb843ade65c22@k-piste.dy.fi> <05cf17898a22abc41664004ef8731342@k-piste.dy.fi> Date: Sat, 6 Aug 2016 12:55:50 -0500 X-Google-Sender-Auth: 4ZoO-iBsD1e26XByvsQfOHNGH5M Message-ID: To: =?UTF-8?Q?Lauri_Kentt=C3=A4?= Cc: Niklas Keller , Tom Worster , PHP internals Content-Type: multipart/alternative; boundary=001a113adc3ef4e5aa05396ae518 Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash From: charlesportwoodii@erianna.com ("Charles R. Portwood II") --001a113adc3ef4e5aa05396ae518 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, Aug 6, 2016 at 11:37 AM, Lauri Kentt=C3=A4 wrote: > On 2016-08-06 17:47, Charles R. Portwood II wrote: > >> Absolutely. What are your thoughts on the following cost factors? >> >> time_cost =3D 3 >> memory_cost =3D 12 >> threads =3D 1 >> >> The reference library provides a CLI program where these values are >> listed. A memory_cost factor of 12 would be 4 MiB. >> > > Looks like there's already some ambiguity in the parameters. > As I understand it, m_cost is the memory size in kilobytes. > Thus, m_cost =3D 4096 would be 4 MiB. > The source file you referenced [1] has actually LOG_M_COST_DEF, > where m_cost =3D 1 << LOG_M_COST_DEF. > > Testing with argon2_cffi [2] (Python) shows that your parameters > (with m_cost =3D 4096 =3D 4 MiB) take 57 ms per hash on my laptop > and 14 ms on my VPS, compared to bcrypt cost 10 taking 88 ms. > > Personally, I would be satisfied with even smaller parameters, > maybe something like memory_cost 512, time_cost 2, threads 2. > > Disclaimer: I'm not familiar with Argon2, I only looked shortly > at the source files and the Python library [2]. However, care > should be taken to use the correct definition for m_cost. > > [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/src/run.c#L27 > > > [2] http://argon2-cffi.readthedocs.io/en/stable/parameters.html > > > > -- > Lauri Kentt=C3=A4 > Hi Laura, The confusion is on my part, I apologize. Both this implementation, and the Argon2 reference library use a bitwise shift on the memory cost factor. When I say "12", I'm really meaning "1<<12", which is 4096, or 4 Mib. [1][2]. The RFC itself actually states the bitwise shift in the examples, and for the cost factors represents it in Mib. We can drop the memory cost down lower if people would prefer that. My only concern with setting the default thread count to 2 is that it may cause problems for individuals on single core machines. The PHP implementation performs as follows from the CLI with the following cost factors on one of my VPS'. The time cost for each of the Argon2 implementations in this case is 3, with a thread count of 1. [3] 2 ms : argon2i, 256 KiB > 2 ms : argon2i, 512 KiB > 3 ms : argon2i, 1024 KiB > 17 ms : argon2i, 4096 KiB > 53 ms : argon2i, 16384 KiB 203 ms : argon2i, 65536 KiB Setting the memory cost to 4 MiB, or even 1 MiB are pretty fast in the PHP implementation. I think the following costs would be acceptable to avoid concerns over memory exhaustion. These appear to be the defaults outlined in the reference library's CLItool. memory_cost =3D 4 MiB, 1<<12 > time_cost =3D 3 > threads =3D 1 I think there's a bunch of ways we can tweak this. As there's no "bad" values for any of these cost factors per the spec, it may just be easy to set the costs even lower end user decide if they need to be increased (or increase them in core at a later time). memory_cost =3D 1 MiB 1<<10 > time_cost =3D 2 > threads =3D 1 On Sat, Aug 6, 2016 at 12:08 PM, Tom Worster wrote: > OK. I misunderstood what qualifies as "broken". Looks most like most > people want to set default costs right away so I'll leave it here. As for > choosing the right default values for PHP, what are the criteria? Typically a run time of of under 50 ms is the target goal. Argon2 can be tweaked to use a specific amount of memory, time, or CPU cores. Trying to find good default cost factors is problematic since all 3 of those factors are variable on any given machine. *Charles R. Portwood II* [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/src/run.c#L160 [2] https://github.com/php/php-src/pull/1997/files#diff-c902 6333c79da7abe3b1285ef7c0c312R36 [3] https://gist.github.com/charlesportwoodii/3e113a53d243b5a722babfd421a93= d c3 [4] https://gist.github.com/charlesportwoodii/ceaa87c9a9adb069b9f2eaddf56ab= 8 71 --001a113adc3ef4e5aa05396ae518--