27

I've read the manual, and multiple articles / StackExchange posts about this topic, but still can't decide which implementation of Argon2 is best for my use case.

I want to securely encrypt passwords in a database in an unshared environment. After first pass of the docs (pun-intended) it sounded like Argon2i is recommended in this case, but I feel like it's more likely for someone to gain access to the database directly and try to execute a GPU/ASIC/FPGA based attack to decrypt the data than someone gaining access to the network and attempting a side-channel attack.

I would like to prevent side-channel attacks if possible too, so that sounds like Argon2id is the way to go, but my understanding is the i-portion of the implementation only does one pass. Does the one pass really offer much protection against side-channel attacks (I read 3+ or even 10+ passes are needed to really secure Argon2i) and is there a way to increase the number of passes for the i-portion before the d-portion kicks in?

If Argon2id is the implementation for my use-case, but I can't increase the number of passes for the i-portion, would it make sense to effectively create my own "Argon2id" by implementing the Argon2i algorithm first, and then running the output through the Argon2d algorithm after?

J.D.
  • 373
  • 1
  • 3
  • 8
  • Related: https://crypto.stackexchange.com/q/48935/54184 – forest Aug 07 '19 at 05:02
  • 4
    Running Argon2 twice, giving each $\frac{t}{2}$ time, is basically less secure than running Argon2 once for $t$ time. (Same for any other split, not just 50-50.) The recommendation to first set the memory cost as high as possible and then set the number of passes as high as tolerable for that amount of memory is good advice. – Future Security Aug 08 '19 at 19:52
  • 3
    Argon2id is its own algorithm. Caveats concerning Argon2i do not automatically apply to Argon2id. The newest documentation (Argon2 v 1.3) came after the TMTO discovered for a previous version of Argon2i. The newest designs and recommended method to choose parameters already takes the potential problem into account. – Future Security Aug 08 '19 at 20:08
  • A side channel attack on a unshared environment can be performed via JavaScript. So, turn off your browser when doing key stretching (especially if you browse shady websites). But I think it's very unlikely. I can't think of other realistic side channel attacks on a normal PC (not a server). – Valentin Stoykov Oct 21 '23 at 01:10

1 Answers1

29

If you are unsure, then always choose Argon2id. Only choose Argon2d if you need maximum security at the expense of side-channel risk, and only choose Argon2i if side-channel attacks are the primary threat.

The number of passes just increases resistance to time-memory tradeoff attacks (TMTO). What you are probably remembering is that Argon2i is more vulnerable to TMTO attacks, and thus needs more passes to obtain the equivalent level of security. Argon2id uses the Argon2i pass to resist side-channel attacks, and the subsequent Argon2d passes to make up for TMTO resistance that the first pass lacks.

If an attacker performs a perfect side-channel attack and breaks the Argon2d portion, then they will still need to perform a very extensive TMTO attack to break the Argon2i passes. Compare this with pure Argon2d, where a successful side-channel attack completely negates its memory hardness. In other words, a side-channel attack against Argon2id reduces its security to that of one-pass Argon2i.

Note that some of the more severe TMTO attacks against Argon2i have actually been fixed.

forest
  • 15,253
  • 2
  • 48
  • 103
  • Let us continue this discussion in chat. – forest Jun 05 '22 at 22:55
  • "What you are probably remembering is that Argon2d is more vulnerable to TMTO attacks..." Is there a typo? I thought it was Argon2i that is more vulnerable to TMTO attacks. – Explorer09 Oct 25 '22 at 06:00
  • @Explorer09 Yes, that was a typo. Corrected. – forest Oct 31 '22 at 22:47
  • "In other words, a side-channel attack against Argon2id reduces its security to one-pass Argon2i."..... Should it not be "Argon2d reduces its security...." because in that paragraph you are talking about 2d and 2i? – BeeGees Feb 09 '23 at 03:56
  • 1
    @BeeGees I meant that a successful side-channel attack against the hybrid Argon2id reduces its security, but it doesn't make it any weaker than one-pass Argon2i. – forest Feb 09 '23 at 05:51
  • @forest thanx. And if I need to have a encrypted data file in my PC, and I am not moving it anywhere else(like on the cloud or any other location), then do I use 2d or 2id (these are the only 2 options I have? And frankly I do not fully understand what a side-channel attack actually does in the PC) – BeeGees Feb 09 '23 at 17:34
  • 1
    @BeeGees If there could be a malicious program running on the computer at the same time that Argon2 is running, then a side-channel attack is relevant. If that's not the case (for example, you have an encrypted root partition and the computer is asking for the key at boot), then you can safely use Argon2d. If you will ever have, say, a web browser open at the same time that you input the password to Argon2, then it would be wise to use Argon2id. – forest Feb 10 '23 at 01:52
  • @forest thanx. I am still a bit in doubt. I am actually using KeePass password manager. They have given 2d and 2id as the 2 options for the "Key Derivation Function" to be set for a KeePass data file that contains the passwords. The KeePass file is opened and used just on the PC Computer. But, KeePass has a feature called AutoType password which types the Password from KeePass into the WebPage Fields. Do you think a side-channel attack could happen in such a situation? In which case do I need to opt for 2id instead of 2d? – BeeGees Feb 10 '23 at 07:19
  • @forest Actually I am not in any doubt. I think I will opt for 2id to avoid a possibility of a side-channel attack. But I just wanted to ask that in a specific case like this where the AutoType feature of KeePass types onto the Web Page, is a side-channel attack possible, or is it only possible when we take anything from the Web Page into our Application. – BeeGees Feb 12 '23 at 05:53
  • 1
    @BeeGees Unless you have a specific reason not to, use Argon2id. For a password manager like that, yes, you should absolutely be using Argon2id. – forest Feb 14 '23 at 00:16
  • Thanx @forest. I will use Argon2id. – BeeGees Feb 14 '23 at 03:53