5

I was looking at the wiki for the node-argon2 package in npm, when I came around this justification for using argon2i as the default mode:

The variant of the hash function. Argon2 has several variants with different aims:

argon2d is faster and highly resistant against GPU attacks, which is useful for cryptocurrency
argon2i is slower and resistant against tradeoff attacks, which is preferred for password hashing and key derivation
argon2id is a hybrid combination of the above, being resistant against GPU and tradeoff attacks

This security.stackexchange post suggests that side channel attacks are not a big concern on server(which I assume is the application here), and that argon2id or argon2d would be better choices.

Additionally the claim that argon2i is better for password hashing because its slower seem dubious, since the number of iterations can be adjusted for any mode

Is there any truth to the statement "argon2i is slower and resistant against tradeoff attacks, which is preferred for password hashing and key derivation"?

SunshineToast
  • 88
  • 5
  • 1
    In general, you should stick to Argon2id unless you *know* you have a really good reason to use Argon2i or Argon2d. –  Oct 28 '19 at 14:27

2 Answers2

2

If you are verifying passwords, your first choice is Argon2id in all cases.

In the incredibly unlikely event that you can't use Argon2id, then the tradeoffs between Argon2i and Argon2d matter.

Argon2i is intended to prevent side-channel attacks. That is, if you have an unprivileged malicious process on your server, it could use CPU vulnerabilities like Specter to tease out enough details to reverse engineer the password. By randomizing its memory layout a bit, the malicious processes are far less likely to be able to listen in.

This is very important on servers; especially virtual servers running in cloud environments.

Argon2d, however, is intended to prevent optimizing parallel processing in memory constrained environments like on GPUs, FPGAs, and ASICs. The tradeoff here is that general purpose CPU cores tend to have access to a lot of memory, and multiple banks of memory can be mapped at the same time. GPUs have several programmable lanes (not exactly a CPU core; there's less branching allowed) that have access to far less memory at any given time. Switching the mapping of memory banks takes time and makes using a GPU less desirable. A password hashed by Argon2d is far more resistant to offline brute force attacks, because it is designed so that there should be no shortcuts that an attacker can take to run faster than a general purpose CPU.

If you know that you have physical security over your server (only you can touch it), and you have audited every piece of software on that server (not possible with a modern OS due to the vast amount of software on even the most barebones systems), then you can ignore Argon2i.

If you know that your user database will never be leaked, or you are working with cryptocurrencies where nobody knows which inputs will generate the desired output, you can ignore Argon2d. If you're a cryptocurrency designer who still thinks that proof-of-stake means proof-of-work, then you want the memory hardness of Argon2i, to disincentivize the GPU/FPGA/ASIC arms races that only serve to put money into the pockets of those who are already rich. (And the pockets of your electric company...)

If you are like 99.999% of site owners, use Argon2id.

Ghedipunk
  • 5,766
  • 2
  • 23
  • 34
1

It all depends on what you really want.

Argon2d is the faster variant using data-dependent memory access (to thwart trade-off attacks) making it suitable for applications where side-channel attacks are not a threat such as back-end servers or cryptocurrencies. It makes a single pass over the memory.

Argon2i is slower and uses data-independent memory access making it suitable for password hashing and password-based key derivation uses. It makes 3 passes over the memory.

Due to data-dependent memory access, A2D is less secure against cache-timing attacks, while the A2I is not.

By default, Argon2d makes a single pass over the memory and hence does not overwrite it, leaving it vulnerable to GCAs (Garbage Collector Attacks). Argon2i, by contrast, makes three passes over the memory and hence overwrites it twice thus thwarting any kind of GCA since even complete access to all post-computation memory by the attacker would require them to make two passes over the memory to test password candidates.

You can read the above and much more details here.

Overmind
  • 8,779
  • 3
  • 19
  • 28