#argon2

At System76, we pride ourselves on making computers by nerds, for nerds. Our dedicated group of engineers work hard to create the best solutions for like-minded professionals, including on our website.

Today, we’re happy to announce new security updates for all system76.com accounts in the form of Recognizer, our open source authenticator service. The most notable changes this tool brings are the introduction of two-factor authentication and an upgrade in password hashing to further protect your login credentials. These updates, releasing this Thursday (February 11th 2021), will substantially increase security and make our site more flexible as we grow. Once the update is released, all users will be required to reset their password.

Two-Factor Authentication

Setting up two-factor authentication protects your account in the event that someone gets ahold of your login credentials. Beginning Thursday, February 11th, you can turn on 2FA by signing in to your system76.com account. From there, go to the Account Details page, where you’ll find the Two-Factor Authentication section. Follow the instructions to link your account with your third-party authentication app, such as Google Authenticator or 1Password.

Under the hood, System76 uses the Erlang ‘pot’ library, which generates RFC 6238 time based one-time tokens compatible with these third-party apps. Our authentication system also uses OAuth2.0 and JSON Web Token (JWT), two secure industry standards for authorization flows and communication between systems. The use of OAuth2.0 opens up the door for the potential to sign in with a third party, or even Pop!_OS, using a “Log In with System76” button; though for now, it’s only being used with System76 projects.

Password Hashing

Another piece within Recognizer is the migration to Argon2 password hashing. In addition to sounding delicious, password hashing is a secure way to store passwords for when you want to access your account at login. Passwords are transformed into a long string of characters that cannot be converted back to your actual password. A “salt” is added for further security, which adds a random set of characters to your password hash. This ensures your password is linked solely to your account, even in the event that another account uses the same password as you. Lastly, we increased our password requirements to include a minimum character length, special characters, capital letters, and numbers.

While your passwords have always been stored safely, we’re taking this opportunity to move to a newer and stronger algorithm. We chose Argon2 for its modern hashing technique and resilience to new attack methods. It also has a standard format for storing the hash, salt, and parameters as a single string, making it easy to change hashing options in the future without having to force a password reset. However, because existing passwords are currently hashed using an alternative algorithm, all existing users will need to reset their passwords to migrate their accounts over to this new algorithm on Thursday, February 11th.

Open Source Security Measures

System76 has always led by example with open source solutions. So far, we’ve open sourced our Protobuf messages, our notification microservice, and our Zendesk integration. The newest addition, Recognizer, is written in Elixir, styled in Bulma, and released under a GPLv3 license.

Argon2id output size must match the private key size of Ed25519: 256 bits.

The other Argon2id parameters can just be left configurable in the implementation, but there are some universally applicable ideas:

You are competing with the insecurity of just sending the plain password to the server. Any parameters are profoundly more secure than that. The private key derived with this Argon2id run never leaves your client and is only around in memory momentarily. The server only sees that private key's signatures and public key.

The key UX consideration is how much time it takes and how much it bogs down the user's device from doing anything else useful while logging in. Unfortunately many users in the world still have fairly low-spec hardware, and you are competing with the speed of sending their password with plain text.

The recommended Argon2 tuning order is to raise memory as much as you can - the whole point of Argon2 is to be memory hard to take away any cost advantage from GPU, FPGA, and ASIC crackers - then raise the parallelism, then raise the iterations.

So that lets us figure out the best parameters that can be used across all devices with some minimum specs that we want to support while still having an acceptably fast login experience on all of them.

And obviously for users who know to seek out those settings, we could also let users raise their account's minimum Argon2id parameters higher than the default minimum.

But can we do even better?

In principle we could always have higher parameters than our secure minimum while keeping acceptably fast logins if the user's device has the specs for it. This just adds a small risk of a slow login if they later try to log in from an atypically low-spec or constrained system.

So why not just automate that process? First try to get larger allocations until the system refuses, while also doing a microbenchmark to test if using that much memory at once hits a slowdown. Then do a microbenchmark to see when speedup from parallelism drops off. You might be able to combine these two. Now start running an Argon2id implementation that gives you some way to choose at each iteration whether to stop or continue, and stop once you're less than one iteration's duration away from your maximum acceptable login time.

This is getting better, but what do you do for users who log in from devices with significantly different specs? Maybe they dropped and broke their phone so they're using an old temp phone for a while. Or they normally log in from a high-end gaming rig but today they're at grandma's and hopping on her budget computer to get something done.

When a user logs in, we have to use the saved parameters to check their login, otherwise Argon2id would give us a different private key and the Ed25519 public key wouldn't match the saved one.

But if the measured best parameters are different enough, then after logging in successfully we could start the creation of a new entry as a background lower-priority task.

Unless the user leaves in about a login's worth of time right after logging in, that will finish and we can save that so the login uses the best settings next time.

Okay but what about churn if you use multiple devices regularly? What about needlessly sending a less secured key after throwing away more secure parameter entry? What about needlessly spending more time logging in after throwing away a lower parameter entry?

We could actually have more than one entry of Argon2id parameters, salt, and public key for a user. So long as the minimum parameters meet our security bar, the only downside is a tiny risk of a weakness in the composition of Ed25519 deriving public keys from separate private keys that result from independently randomly salted and differently parameterized Argon2id runs somehow leaking statistical information about the password.

Each entry can be expired once it hasn't been needed for a login for too long - or we could even make the code pluggable, since this is a cache eviction problem and there are many different schemes for that, maybe someone knows a better one.

It feels vulnerable to a downgrade attack, but it isn't meaningfully so, because if you didn't have this scheme then you would just have to pick parameters that are secure enough - so just use those parameters as your minimums.

That seems pretty great, but there's a really sucky part to this scheme: both the login experience and the implementation suffer a lot when you are logging in from a much weaker system than any remembered entry. And I don't just mean it would be slow, I mean it might require your Argon2id implementation to handle cases like "every device until now let us use 2GiB of memory and this one's refusing to give us more than 256MiB, so now we have to compute the same result in an eighth of the space".

(Aside: this is a good example of why "limit this program to [amount] memory" is not really the right resource control knob a lot of the time if the implementation is "refuse to let the program address more memory" rather than "use swap space if it tries to have more memory" - code that is willing to give up speed to fit within your memory constraints shouldn't have to reimplement memory page swapping, and if you are not willing to give it that opportunity then that would be a different knob.)

One way to mitigate that sucky edge case:

Since you have an acceptable minimum parameterization of Argon2id anyway, just keep an entry for that permanently.

This is worse in the event of a server compromise than only having stronger parameter entries, but if you didn't have the dynamicism and multiple entries you would still always have this lowest secure parameters entry on the server,

It's still better than just having the lowest parameters in the absence of server secret storage compromise or downgrade attack, because you send a public key and signature corresponding to a private key derived from the password with better parameters.

So I've gone back and forth in my mind about this scheme being worth it or not. There is something really nice about users' password security organically automatically upgrading as their technology upgrades. On the other hand it is very complex, would require a lot of reimplemention of some of the most security-sensitive and "don't write this yourself unless you're a cryptographer and computer security expert!" parts of the system, with more cleverness and complexity than existing implementations.

I think the tie breaker for me is that this is all probably very temporary and maybe already obsolete. The future is not users logging in by typing in passwords that they remember. Asymmetric passwords is a great way to make that better, but that's going away. The future is your device knowing cryptographic keys for each login for you, and maybe one password securing the encrypted secret storage where those keys live.

The recent passkey announcements and standardization was a good reminder of that.

Over a year ago I did some testing and found that 128MiB, 1 lane, and 3 iterations was tolerably slow on some realistically old or weak phones and pretty great on new high-end ones. That's lower than you'd use for server-side password hashing, but I'd rather have the security increase of never sending the password to the server. So you could probably dial that up by approximately a year's worth of typical user technology spec improvement and still get a great login experience range.

The Argon2id variant with t=1 and 2 GiB memory is the FIRST RECOMMENDED option and is suggested as a default setting for all environments. This setting is secure against side-channel attacks and maximizes adversarial costs on dedicated brute-force hardware. The Argon2id variant with t=3 and 64 MiB memory is the SECOND RECOMMENDED option and is suggested as a default setting for memory-constrained environments.

This is higher than OWASP's minimum recommendations, but seems reasonably fine to throw at most modern hardware. (Although the "memory constrained" settings take more than half a second on a Pixel 5 in the browser, while trying for 2GiB just fails to allocate memory.)

Also interesting comment right above that:

[for Argon2d and Argon2id] 1 pass maximizes the attack costs for the constant defender time.

This lines up with recommendations I've seen of ramming up memory use as high as you find tolerable first, then parallelism, and only then iterarions.

You may remember that in my asymmetric password sketch, I was using 32 MiB, 1 lane, 3 iterations. (About a quarter of a second on Pixel 5 on the above tester website, but ~1.4 seconds on a Galaxy Samsung 5s. Plenty of users even in America are still using phones that have specs that low, as far as I know. For some more context, top spec smartphones in 2009 had 256 MiB of RAM, and one does not simply increase RAM without increasing bloat, so I imagine it's pretty safe to assume that in 2022 in developing poor countries we still have devices which either actually only have 256 MiB, or might as well be thought of as only having that much available for your app or browser page. Also I strongly suspect that I've tested the RFC's recommendations before and found them too slow to be satisfactory for a login experience.)

Some smart people, including allegedly two of the experts from the password hashing competition panel (the one that chose Argon2, thus giving it the recognition and adoption that it has today) have said that bcrypt is better than Argon2 if you're aiming at runtimes shorter than one second.

Personally I've had trouble actually tracking down this claim or the reasoning for it, and I don't feel like reaching out to the guy who made one of the tweets that people like to link for this claim. At least not yet.

There's also a lot of good arguments to be made about cache hardness as a special case of memory hardness, because the goal is giving different kinds of hardware even footing, and giving general-purpose hardware an advantage over dedicated cracking hardware. CPUs have small fast caches (but FPGAs and ASICs can be built that way too). GPUs are in a weird special case where they get much smaller memory per each of their many (very simplified) "cores".

Anyway, so what I'm saying is, maybe I'm wrong about Argon2id at those settings being better than bcrypt for the purpose of asymmetric password logins, especially when the clients are typically web browsers on users' phones and laptops. Maybe bcrypt would be better. Maybe something like Pufferfish2 would be better.

As I said when I first mentioned the Ristretto255, Argon2id, and Ed25519 combination, that's just what I would do right now, off the top of my head. I'm not an expert, I've just done a good faith effort, for some amount of time, to figure out what's good. Maybe someone can do better, or will brute force it with more time investment, or has other resources like greater willingness to reach out to the guy behind that tweet.

One great way to get help is to badly fail in public view, because then people will at least yell at you or talk about your failures in the third person.

Ideally it would just yield to the caller so they can run arbitrary logic to decide whether or not to resume.

(In fact it would be trivial, although opening the door to insecure misuse, to make it possible for the caller to grab the result at the end of every iteration, or resume from a given result, and this would allow things like pausing and resuming or all sorts of dynamic migrations and other mid-computation use-cases.)

But at a minimum, you let the caller give you a minimum iteration count, and a callback which reports if it is time to stop (or three return values: can continue, stop if minimum is reached, stop no matter what). And then the function could stop and report how many iterations it finished, and you could check it was too few.

This would provide an extremely elegant solution to this problem of dialing up Argon2 parameters as high as possible, automatically matching the capacity of the hardware while respecting actual human end-user priorities like time spent waiting.

(It would also go some way towards enabling you to have nice progress indicators in your UI, but you'd probably want smaller increments for that within each "iteration".)

The thing is, I would really like to get very secure parameters for Argon2id, but even a mere three iterations with one lane using 256 MiB of RAM costs one to three seconds on recent browser versions on recent hardware with high end specs. That's just for the Argon2id itself.

Those are not insecure parameters for Argon2id. You could go a lot lower and still be very secure. It won't withstand incomprehensibly expensive dedicated hardware farms like 32 iterations, 8 lanes, 16 GiB would. But it's not awful. Even 1 iteration, 1 lane, and 1 MiB RAM is still more secure than sending my password to the server every time I log in or set it!

At least then I can worry about whether or not someone is willing to spend lots of dollars and energy and silicon to crack my password within an unacceptably short time, rather than worrying about an intern logging my password in plain text on twenty hard drives in some cloud provider's data centers because they forgot to scrub the HTTP Authorization header first.

For comparison: bcrypt uses 4 KiB RAM. That's KiB, not MiB.

Meanwhile, on my Pixel 5 on this web page for calculating Argon2 in the browser, it reports around 250ms to run Argon2id, 3 iterations, 1 lane, 16 MiB. If we just naively run the numbers, for the price of a quarter second, I still forced a cracking ASIC/FPGA/GPU for my Argon2id parameters to have many times more RAM than it would need for bcrypt. Now, I'm sure there's some fancy optimizations, and space-time trade-offs, and other factors which mean you can't just compare memory requirements. Especially since the whole point is that you can get equivalent protection by dialing down memory and dialing up iterations, or vice versa. But the point is it's easy enough to get it more expensive than a comparable bcrypt cracker.

On a Samsung Galaxy 5s from over half a decade ago, the same settings on the same website took around 1400ms. That's not ideal, but if you're using hardware that old or weak, you're used to stuff being a bit on the slow side. (And if I drop the iteration count down to 2, which is still within OWASP minimum recommendations, even on that phone it starts to take only 900ms.)

So when I say I would like "very secure parameters for Argon2id", I don't mean acceptably secure. I mean I want to protect your grandma's Facebook password so hard that every spy agency, every military, every black budget, every criminal enterprise, every cryptominer, could be combining efforts to crack her password with the best Argon2id cracking hardware money can buy, at the best bulk prices, and they still all go bankrupt before getting to it, even though it's something obvious like "LoveMyGr4ndkids!" and she hasn't changed it in two decades and isn't going to for the rest of her life.

The thing is, I would really like to get very secure parameters for Argon2id, but even a mere time factor of three with one lane using 256 MiB of RAM costs one to three seconds on recent browser versions on recent hardware with high end specs. That's just for the Argon2id itself.

Of course, if I knew it was making my password resistant to cracking even by state-funded purpose-built ASIC farms, you could make me wait ten seconds to log in and I'd feel pretty good about it. But typical users might start dropping off after half-second delays, and if you can be so responsive that it feels instant, that matters a lot.

Also you could easily create a really nice interface which progressively loads and renders all the UI elements that don't reveal sensitive information while the password verification is happening. If you have an implementation of Argon2id which has hooks or incremental outputs for progress reporting, then you could even accurately and precisely show progress.

표준화된 비밀번호 해싱 알고리즘을 찾기 위한 PHC(Password Hashing Competition)에서 우승을 차지한 알고리즘 Argon2. 표준으로 제정되기 위한 절차를 밟기 위해 IETF에 draft를 제출했다고 한다.

기존에도 널리 쓰이고 있는 bcrypt나 메모리 사용량을 의도적으로 늘릴 수 있는 scrypt가 있지만, 쉽게 구현할 수 있다는 편리성이 Argon2의 가장 큰 장점인 듯.