[Top] [All Lists]

[openpgp] [PATCH] RFC4880bis: Argon2i

2015-10-18 09:20:17

attached is a patch against RFC 4880bis in
git:// to include Argon2i as an S2K method.


  * I have made room for 256-bit nonces. The Argon2 paper[0] recommends
    16 byte nonces for password hashing with a maximum length of 2^32-1.
    My reason for this is to make the nonce size equal to the AES-256
    key size so that we enjoy full key strength without relying on the
    password to contribute any entropy at all.
  * What do others think about the RECOMMENDATION of a parallelism
    degree of 1? Are use-cases known where hosts are unable to do
    multi-threading (well)?
  * Argon2 is not final yet, as far as I understand. The reference to it
    in template.xml should be checked/updated once it is.
      o Is considered a stable location to link to?
  * Private keys now MUST be protected using a salted S2K scheme

Looking at, HKDF should be removed from
the S2K candidates. From the HKDF paper[1]:

typical PBKDFs [...] use [...] salt [...] and (ii) the slowing down of
the KDF operation [...] This makes PBKDFs very different than the
general-purpose KDFs studied here. In particular, while passwords can
be modeled as a source of keying material, this source has too little
entropy to meaningfully apply our extractor approach
So it cannot be used directly and the changes required to make it a
suitable PBKDF would replicate the work done for the Password Hashing
Competition[2] which selected Argon2 as the basis for its winner[3].




Attachment: rfc4880bis-argon2.diff
Description: Text Data

openpgp mailing list
<Prev in Thread] Current Thread [Next in Thread>
  • [openpgp] [PATCH] RFC4880bis: Argon2i, Nils Durner <=