Recommended Configurations #467
Comments
|
Hi @nikgraf, the configurations section caveats these parameter choices with the following statement:
It's difficult for the draft to take a stance on these parameters which would work for all contexts, and a browser environment / WebAssembly with limited memory would definitely constitute as an "application-specific profile" in my mind. So, if I were you, I would go with the "2^16 (64MB) memory, 3 iterations, 4 parallelism" option that the Argon2id RFC recommends. However, I don't think we will change the existing draft text to accommodate this option, since the text already comes with the caveat mentioned above. Hope this helps! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm the maintainer of https://github.com/serenity-kit/opaque which is a WebAssembly package on top of opaque-ke.
I'm wondering if the recommended configurations for argon2id should be extended or changed.
In a browser environment (Chrome on a MacBook Pro M1 2020, 16GB RAM) running client.finishRegistration and client.finishLogin each run for about ~13 seconds. This is with the recommended configuration of 2GB memory, one iteration and parallelism of 4.
I'm wondering if the recommended configuration should be changed or extended to also include a configuration that makes sense for such a browser environment.
Possible option:
Another option would be one of those: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
Note: We noticed that when using 2^21 memory WebAssembly would error once the function is invoked. It works with (2^21)-1. This could be an implementation detail, but thought it was worth mentioning.
Feedback is very welcome. If it doesn't make sense to change the options I'm wondering what might be good parameters as defaults/presets in our case. Here our WIP PR: serenity-kit/opaque#127
The text was updated successfully, but these errors were encountered: