rfc:argon2_password_hash
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:argon2_password_hash [2016/08/17 18:49] – charlesportwoodii | rfc:argon2_password_hash [2018/03/01 23:27] (current) – RFC was implemented in PHP 7.2 carusogabriel | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Argon2 Password Hash ====== | ====== PHP RFC: Argon2 Password Hash ====== | ||
- | * Version: 0.6 | + | * Version: 0.8 |
* Date: 2016-07-10 | * Date: 2016-07-10 | ||
* Author: Charles R. Portwood II < | * Author: Charles R. Portwood II < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 13: | Line 13: | ||
- And a parallelism factor, which defines the number of parallel threads | - And a parallelism factor, which defines the number of parallel threads | ||
- | Argon2 comes in two distinct flavors, Argon2i and Argon2d. Argon2i which is optimized for password hashing and password based key derivation. | + | Argon2 comes in two distinct flavors, Argon2i and Argon2d. Argon2i which is optimized for password hashing and password based key derivation. |
===== Proposal ===== | ===== Proposal ===== | ||
Line 39: | Line 39: | ||
< | < | ||
- | memory_cost = 1 Mib | + | memory_cost = 1024 KiB |
time_cost = 2 | time_cost = 2 | ||
threads = 2 | threads = 2 | ||
</ | </ | ||
+ | |||
+ | All three values are integers. The memory cost represents the number of KiB that should be consumed during hashing. The default value is 1<< | ||
+ | |||
+ | The time cost represents the number of times the hash algorithm will be run. And the thread parameter indicates the number of CPU threads that will be used during hashing. | ||
==== Changes to password_hash() ==== | ==== Changes to password_hash() ==== | ||
Line 115: | Line 119: | ||
None. | None. | ||
- | ===== Open Issues ===== | + | ===== Discussion |
- | ==== Cost factors ==== | + | All issues in this section have been resolved. The primary discussion points and resolutions are outlined. |
+ | |||
+ | ==== [Resolved] | ||
This library initially proposed higher cost factors, but now proposes the following cost factors: | This library initially proposed higher cost factors, but now proposes the following cost factors: | ||
Line 127: | Line 133: | ||
</ | </ | ||
- | These cost factors are derived from: recommendations from the argon2 reference library and tests on low resource systems. | + | Due to the variety of platforms PHP runs on, the cost factors are deliberately set low as to not accidentally exhaust system resources |
+ | |||
+ | - Common Cloud Server 512 MB, 1 Core: 3-5 ms | ||
+ | - Common Cloud Server 2 GB, 2 Core, 1-3 ms | ||
+ | - 512 MB Raspberry Pi Zero: 75-85ms | ||
+ | |||
+ | As Argon2 doesn' | ||
==== [Resolved] m_cost, t_costs vs memory_cost, | ==== [Resolved] m_cost, t_costs vs memory_cost, | ||
Line 133: | Line 145: | ||
The reference material uses m_cost and t_cost. End users might find it easier to use memory_cost and time_cost. The cost variables have been changed to the latter to simplify cost selection for the end user. | The reference material uses m_cost and t_cost. End users might find it easier to use memory_cost and time_cost. The cost variables have been changed to the latter to simplify cost selection for the end user. | ||
- | ==== [Resolved ]Providing default options ==== | + | ==== [Resolved] Providing default options ==== |
Providing default options allows for ease of use, and encourages use. Not providing options encourages experimentation on your system, but discourages use from people unfamiliar with the algorithm. | Providing default options allows for ease of use, and encourages use. Not providing options encourages experimentation on your system, but discourages use from people unfamiliar with the algorithm. | ||
Line 173: | Line 185: | ||
Voting will be open for 2 weeks. | Voting will be open for 2 weeks. | ||
- | <doodle title=" | + | <doodle title=" |
* Yes | * Yes | ||
* No | * No | ||
Line 180: | Line 192: | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
- | A working patch is available at: https:// | + | A working patch against the latest version of the Argon2 reference library |
===== Implementation ===== | ===== Implementation ===== | ||
- | After the project is implemented, | + | - Merged in 7.2 |
- | - the version(s) it was merged to | + | - Commit: https:// |
- | | + | |
- a link to the PHP manual entry for the feature | - a link to the PHP manual entry for the feature | ||
Line 207: | Line 218: | ||
- 2016-08-01: 0.5 Voting closes due to issue with RFC, removing 7.4 and adding new issues brought up during vote | - 2016-08-01: 0.5 Voting closes due to issue with RFC, removing 7.4 and adding new issues brought up during vote | ||
- 2016-08-01: 0.6 Removing Argon2 from password_*, changing configure flag to --with-password-argon2 for clarity of scope | - 2016-08-01: 0.6 Removing Argon2 from password_*, changing configure flag to --with-password-argon2 for clarity of scope | ||
+ | - 2016-08-18: 0.7 Adding clarity on new cost factors | ||
+ | - 2016-08-24: 0.8 Voting re-opened | ||
+ | - 2016-09-08: 0.8 RFC accepted, voting closed |
rfc/argon2_password_hash.1471459757.txt.gz · Last modified: 2017/09/22 13:28 (external edit)