Comments (17)
Definitely a good idea.
It's probably a better default based on the above - which is a change from the earlier recommendation.
Give me a bit of time to work through this.
from ruby-argon2.
@ankane absolutely, I'll be making Argon2id the default in 2.0.
from ruby-argon2.
I completely agree that cryptography libraries should be designed to be hard to misuse, but don't think this falls into that category.
Regardless, thanks for adding Argon2id support 🎉
from ruby-argon2.
Plot twist: The reference C library has no tests for Argon 2id. Let me get a PR for that first.
from ruby-argon2.
@MidnightWonderer Just updating to note I've sent P-H-C/phc-winner-argon2#261 in to address the upstream issue, waiting on merge or feedback.
from ruby-argon2.
@midnight-wonderer Thanks for your patience with this. As you may have seen, my PR has been taken upstream.
I've pushed some commits to integrate support for 2id in our C bindings, and I'll be integrating verify support soon. Changing the actual default will take a major version bump, but we'll get there.
from ruby-argon2.
Thanks for all the updates @technion 👍 I'm excited to see this as well (and may make it the default for blind index in the future).
from ruby-argon2.
@ankane are you planning to upgrade from argon2i to argon2id for your indexes?
Does this actually a bad thing for indexing use cases?
from ruby-argon2.
@midnight-wonderer Planning to add a new algorithm type for it (to mirror CipherSweet blind indexes). What are you thinking?
from ruby-argon2.
I have tagged v1.2.0 which now supports verifying Argon2id hashes.
I will shift the default in master shortly but I'll take my time with tagging 2.0 and ensure it's correct.
from ruby-argon2.
Thanks @technion 💯 Are there plans to add support for creating Argon2id hashes (hash_argon2id
)?
from ruby-argon2.
@ankane I think that changing the algorithm would have the same result as changing salt (or key).
Not many people would decide to do it in their production environment.
This will be a bit off topic but just my 2 cents:
The indexing is a misuse of Argon2 in the first place IMHO. (There are parameters apart from salt stored in the encrypted data. e.g., algorithm version)
Encrypting just the password with Argon2 with a proper randomized salt, and never index any password, is what I would recommend.
from ruby-argon2.
I appreciate the feedback.
-
As you mention, current users would need to rotate the blind index to use the new algorithm, but I think it's a good choice for new users.
-
Two common use cases for Argon2 are password storage and key derivation. Blind indexing uses the second. https://libsodium.gitbook.io/doc/password_hashing/the_argon2i_function
from ruby-argon2.
Update: master now hashes to Argon2_id, whilst maintaining full backward compat. This feature needs better tests before its'fully baked.
from ruby-argon2.
@technion Awesome! I think it'd be good to have a separate function like hash_argon2id_encode
so Argon2i can still be used when desired.
from ruby-argon2.
@ankane I've had a goal here of not giving someone enough rope to hang themselves.
I certainly appreciate the need to support verifying all formats, but I can refer to the amount of in production code I've been told apparently uses the _salt_do_not_supply parameter in describing why just following current best practice is a better proposal.
Edit: To be clear though, this is a change that will necessitate a v2.0 version, and I'll keep 1.x supported as long as feasible. So if this matters, there is that option.
from ruby-argon2.
I'll close this off as master has covered everything I believe is necessary. I'll tag 2.0 shortly for release.
from ruby-argon2.
Related Issues (20)
- Gem fails to build under FreeBSD 12.0 HOT 8
- Unsigned RubyGem HOT 3
- Required Ruby Version unclear based on gemspec HOT 4
- Rubocop issues HOT 2
- Incompatible with other versions of Argon2 HOT 1
- RubyGems and Github naming mismatch HOT 2
- Allow providing parallelism cost parameter HOT 4
- Error when attempting to use fork HOT 12
- legacy.rb test unused and in broken state HOT 2
- Github Org for improved SEO HOT 2
- Unable to install latest on master via Bundler HOT 2
- :salt_do_not_supply option renamed HOT 4
- Fails to load with Rubygems 3.4 HOT 36
- RBS issue - Cannot find type `FFI::Library` HOT 1
- Memory cost definition HOT 2
- Incorrect initialization checks: `ARGON2_MEMORY_TOO_LITTLE` raised when m_cost < 3 HOT 1
- Cannot specify memory costs that aren't `2^N` HOT 2
- Default argon2.online builds a hash which ruby_argon2 cant verify HOT 1
- Add OWASP recommendations as additional profiles? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ruby-argon2.