6

I was reading the post Is it safe/wise to store a salt in the same field as the hashed password?:

$argon2i$v=19$m=65536,t=3,p=1$YOtX2//7NoD/owm8RZ8llw==$fPn4sPgkFAuBJo3M3UzcGss3dJysxLJdPdvojRF20ZE=

My understanding is that everything prior to p= are parameters, the body of the p= is the salt, and the last part is the hashed password."

I do not understand the highlighted part. I thought$ slices variant, version, parameters, salt and hash, so that:

  • p (parallelism parameter) = 1
  • salt = YOtX2//7NoD/owm8RZ8llw==
  • hash = fPn4sPgkFAuBJo3M3UzcGss3dJysxLJdPdvojRF20ZE=

Am I correct in identifying salt and hash here?

Community
  • 1
Mr.President
  • 75
  • 1
  • 5
  • 1
    I hope you are asking this out of curiousity and not because you actually want to parse the output of some Argon2 tool. –  Dec 14 '19 at 10:48
  • @MechMK1 : Thanks for replying, Sir. I was just trying to learn how to store passwords, learned that Argon2 is nice through a series of posts, but, got stuck in this particular question(post) over identifying salt, hence asked a question here. Everything is clear now...until I stuck again. – Mr.President Dec 14 '19 at 13:09
  • 4
    I'm glad that you are asking questions, but my point was that if you are building a system that uses Argon2, you should not parse those things yourself. Instead, use a pre-built library that does all these things for you. –  Dec 14 '19 at 13:43
  • @MechMK1 Following your advice, I searched for a library. And, now, I am now using `argon2-cffi`. – Mr.President Dec 19 '19 at 04:28

1 Answers1

11

$argon2i$v=19$m=65536,t=3,p=1$YOtX2//7NoD/owm8RZ8llw==$fPn4sPgkFAuBJo3M3UzcGss3dJysxLJdPdvojRF20ZE=

  • argon2{i} three types i,d,id

    • Argon2d is faster and uses data-depending memory access. Data dependency immediately enables side-channel. This is suitable for cryptocurrencies and applications with no threats from side-channel attacks.

  • Argon2i uses data-independent memory access and this is preferred for password hashing and password-based key derivations.

  • Argon2id In the first half of the first iteration works as Argon2i and the rest works as the Argon2d. This enables both side-channel protection and time-memory trade-off.

    And if you don't know the difference or you consider side-channel attacks as viable threats use Argon2id.

    Better advice Use Argon2id unless you know you have a good reason to use any other mode by MechMK1

  • v=19 - v for version, here version is 19

  • m=65536 - m is the integer representing the variable memory cost, in kibibytes here 65536 kibibytes.

  • t - is the integer representing the variable timing cost in linear iteration, here 3.

  • p=1 - p is the parallelization mechanism to control the amount of parellization

  • salt - here YOtX2//7NoD/owm8RZ8llw==

  • digest - here fPn4sPgkFAuBJo3M3UzcGss3dJysxLJdPdvojRF20ZE=

Split with $ sign, the last token is the digest and the one before the last token is the salt.

Note: Argon2 is a key derivation function that was selected as the winner of the Password Hashing Competition in July 2015. The Specs paper;

Community
  • 1
kelalaka
  • 5,409
  • 4
  • 24
  • 47
  • 6
    I know the official description is "If you don't know the difference, use Argon2id", but I think a better description is "Use Argon2id unless you *know* you have a good reason to use any other mode". –  Dec 14 '19 at 11:51