Skip to content

[exchange] Investigate the correct order of oracle and Argon2 derivations #41

New issue
New issue
Open
Open
[exchange] Investigate the correct order of oracle and Argon2 derivations#41
@cipriancraciun

Description

@cipriancraciun
cipriancraciun
opened on Nov 16, 2024

As noted by @samuel-lucas6 in:
=> samuel-lucas6/Cahir#1 (comment)

So it sounds like you're doing similar to what I'm doing with the YubiKey except relying on a fast hash of the password/parameters rather than a PBKDF output and then doing Argon2 after the YubiKey challenge-response. It feels a little dodgy hashing the password in any way without a PBKDF.

To which I've replied in:
=> samuel-lucas6/Cahir#1 (comment)

Indeed, the "oracle" (my YubiKey replacement) could note down the queries it receives, and thus it could try to do some brute-forcing based on that.

However, in my particular case, that "partial key" (that contains a hash of the password and other parameters) also depends on the "salt" / "nonce" of the file to be encrypted / decrypted, thus a malicious oracle also has to brute-force the salt / nonce.

On the other hand, now that you mention it, I think I can move the oracle calling after applying the Argon2. However, in that case the Argon2 input isn't influenced by the oracle output... (I'll open an issue on my project on the issue and think about it... Perhaps one solution would be to apply something like bcrypt instead of the fast-hash for the password, thus also having something cache-hard, or perhaps having two rounds of Argon2...)

We should investigate if perhaps the Argon2 derivations shouldn't be done before the oracles call.

The current flow is:

  • hash password (and parameters) with file encryption salt / nonce;
  • call oracle with something based on that hash;
  • call Argon2 with the password and salt derived from the oracle output;

At the moment, if the encryption salt / nonce is random, the oracle can't do anything better than just bruteforcing the final encryption key.

However, for password derivation, there is no randomized nonce.

If we call Argon2 before the oracle, then the output of the oracle isn't an input of Argon2. (Low risk?)

If we call the oracle before Argon2, the oracle gets a fast-hash of the password. (High risk?)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions