Comments (9)
Using V1.0.9 Nuget Package and the default implementation with a lower work factor.
Argon2.Hash("foo", 1);
Argon2.Verify(hashString, password)
from isopoh.cryptography.argon2.
Oh and I'm using it in an IIS hosted ASP.Net application with multiple worker processes in the application pool.
from isopoh.cryptography.argon2.
The code attempts to lock the sensitive information into RAM such that it will never get swapped to disk. This request can be denied by the operating system. On Windows systems it uses VirtualLock and that can fail. I haven't seen it fail in my real-life use cases but I can make it fail in tests. Perhaps your server you is putting more pressure on the operating system than mine :-)
I thought I got all the calls to lock memory to degrade from SecureArrayType.ZeroedPinnedAndNoSwap to SecureArrayType.ZeroedAndPinned. Apparently I missed some....Working on it...
from isopoh.cryptography.argon2.
Uploaded v1.0.9 to nuget.org. I found 4 locations that wouldn't gracefully degrade to merely pinning the memory. Hopefully this bug fix works for you.
shewison, I'm a little concerned that you ran into this bug when the similar code we run (an IIS ASP.Net application) never ran into the bug. Our server has had at the most 30-50 users a day and I doubt we get more than one or two logins a minute so perhaps we just never exercised the code as much as you. But, it is also possible that you are somehow doing VirtualLock
calls elsewhere - either using and holding onto SecureArray
instances beyond when you need to or using some other code that makes VirtualLock
calls. Locking memory eats system resources and the Argon2 code tries to hold memory locked for as short a time as it can. If you have other code locking memory to the point where you saw this behavior, you may experience degradation in performance across your entire system. But, because I've been playing with this, I have found that sometimes the Windows just doesn't allow a VirtualLock
and if you try a second time immediately, it will go through - I never tried coding around that because, like I said, the few places we've used this library has never needed to.
from isopoh.cryptography.argon2.
mheyman, thanks looking at this so quickly.
I'm not using VirtualLock
elsewhere. We operate at a level of 200+ concurrent users at busier times. We also have a product where its usage is clustered around specific times of the day and affinity with the NLB cluster is set to network. So all users at the same site share the same server within the cluster. So there's a reasonable risk of collision with multiple hashes taking place at once.
The web cluster is virtual and running on a hyper-v host. Not sure how this plays into the problem?
I did see your "try again, it may work" comment in the exception. So that was my initial solution, if it fails, wait 500ms and try again. This has reduced the incident rate within the UX.
My next release is scheduled for later this week. I'll update the Nuget package and report if there has been a change.
from isopoh.cryptography.argon2.
mheyman,
I've now published the updated package and have been monitoring the logs for a couple of days.
There has been no new occurrences of the LockFailException
.
I'm happy for this issue to be closed. Thanks again for responding so promptly.
from isopoh.cryptography.argon2.
Hi!
I got this error in 1.0.8
Isopoh.Cryptography.SecureArray.LockFailException
Failed to lock 9 bytes into RAM. Currently available: 0 bytes. Failed to securely lock 9 (prevMin=204800, min=204800, prevMax=1413132288, max=768888832, prevFlags=10, flags=10, prevCur=640741376, cur=640741376) bytes at 0x13FA25FA900. Error: Insufficient quota to complete the requested service..
and updatet, because of this thread to, to 1.1.2. I also set the memorycost lower than deftault:
Argon2.Hash(password,1,32768);
and got the same error.
Its an Windows MVC WebApplication on an webserver with 4GB of Ram.
Is there a way to prevent this error?
Thanks in advance
Steeeve
from isopoh.cryptography.argon2.
Steeeve, you don't have the latest version. I had to upgrade to v1.0.9 but despite the lock exception being resolved I found this library struggled in a high volume web environment and instead changed to BCrypt.
from isopoh.cryptography.argon2.
Shewison, I'm on 1.1.2, which is the newst version on nuget...
I the problem persists I also hat to change to an other system - me not like 👎
from isopoh.cryptography.argon2.
Related Issues (20)
- Running on Hololens UWP HOT 3
- Blazor WebAssembly option for SecureArray.DefaultCall HOT 4
- Errors appearing after creating first project with .Net "core" 5. HOT 2
- Output hash doesn't match output from argon2 linux utility HOT 2
- System.TypeInitializationException with .NET native on UWP
- Retrieving version being used HOT 1
- OutOfMemoryException when creating Argon2() HOT 1
- Clarification on conflicting licenses (CC0/CC4/attribution?) HOT 1
- Memory allocate issue ? HOT 1
- No clear way to disable memory binding HOT 2
- Update dependencies for target `net6.0` HOT 3
- Memory leak in Verify() HOT 4
- High Heap Using
- Incorrect output when generating more than 64 bytes HOT 5
- Release 1.1.11 breaks Verify method. HOT 1
- Exploding memory usage HOT 1
- pinvokestackimbalance on Windows memset call HOT 1
- Memory is not being released HOT 3
- Hash without salt is corrupt
- error CS0103: The name 'Argon2' does not exist in the current context HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from isopoh.cryptography.argon2.