I read an article about how to use Argon2id
in C# here.
Below is the code they wrote (slightly edited):
using System;
using System.Diagnostics;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using Konscious.Security.Cryptography;
namespace Playground
{
class Program
{
// No. of CPU Cores x 2.
private const int DEGREE_OF_PARALLELISM = 16;
// Recommended minimum value.
private const int NUMBER_OF_ITERATIONS = 4;
// 600 MB.
private const int MEMORY_TO_USE_IN_KB = 600000;
static void Main(string[] args)
{
var password = "SomeSecurePassword";
byte[] salt = CreateSalt();
byte[] hash = HashPassword(password, salt);
var otherPassword = "SomeSecurePassword";
var success = VerifyHash(otherPassword, salt, hash);
Console.WriteLine(success ? "Passwords match!" : "Passwords do not match.");
}
private static byte[] CreateSalt()
{
var buffer = new byte[16];
var rng = new RNGCryptoServiceProvider();
rng.GetBytes(buffer);
return buffer;
}
private static byte[] HashPassword(string password, byte[] salt)
{
var argon2id = new Argon2id(Encoding.UTF8.GetBytes(password));
argon2id.Salt = salt;
argon2id.DegreeOfParallelism = DEGREE_OF_PARALLELISM;
argon2id.Iterations = NUMBER_OF_ITERATIONS;
argon2id.MemorySize = MEMORY_TO_USE_IN_KB;
return argon2id.GetBytes(16);
}
private static bool VerifyHash(string password, byte[] salt, byte[] hash)
{
var newHash = HashPassword(password, salt);
return hash.SequenceEqual(newHash);
}
}
}
I have the following questions:
- On the Konscious.Security.Cryptography README page, instead of
argon2id.GetBytes(16)
, they are usingargon2.GetBytes(128)
which returns a longer value.
Assuming the configurations are the same, is the 128
approach more secure than the 16
one because it's longer?
- From what I understand, the more memory we let
Argon2id
use, the more secure it will be against customized hardware attacks.
I therefore assume that even if 40
iterations with 70 MB
and 4
iterations with 600 MB
take roughly the same time, the latter configuration's larger memory cost is justified because it's more secure. Is this correct?