1 |
On 7/25/2022 15:34, John Helmert III wrote: |
2 |
> On Mon, Jul 25, 2022 at 03:30:08PM -0400, Joshua Kinard wrote: |
3 |
|
4 |
[snip] |
5 |
|
6 |
>> |
7 |
>> "yescrypt" is an odd name for a hashing algorithm. I looked it up on |
8 |
>> Wikipedia, and it just redirects to the 2013 Password Hashing Competition |
9 |
>> (PHC)[1], in which yescrypt was just a runner-up (along w/ catena, makwa, |
10 |
>> and lyra2). The winner was argon2. So unless something has changed in the |
11 |
>> last nine years or there is more recent information, wouldn't it make more |
12 |
>> sense to go with the winner of such a competition (argon2) instead of a |
13 |
>> runner-up? I know marecki said Fedora was waiting for an official RFC for |
14 |
>> argon2, but the wait for that ended almost a year ago in Sept 2021 when |
15 |
>> RFC9106[2] was released. |
16 |
>> |
17 |
>> Some really quick looking around, I'm not finding any substantive |
18 |
>> discussions on why yescrypt is better than argon2. It so far seems that it |
19 |
>> just got implemented in libxcrypt sooner than argon2 did, so that's why |
20 |
>> there is this sudden push for it. |
21 |
>> |
22 |
>> E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend |
23 |
>> yescrypt instead. Anyway, it has to be implemented in libcrypt.", but |
24 |
>> provides no justification for why they recommend yescrypt. Since we're |
25 |
>> dealing with a fairly important function for system security, I kinda want |
26 |
>> something with much more context that presents pros and cons for this |
27 |
>> algorithm over others, especially argon2. |
28 |
>> |
29 |
>> That said, there does appear to be an open pull request on libxcrypt for |
30 |
>> argon2[4], so maybe that is something to follow to see where it goes? |
31 |
>> |
32 |
>> 1. https://en.wikipedia.org/wiki/Password_Hashing_Competition |
33 |
>> 2. https://datatracker.ietf.org/doc/html/rfc9106 |
34 |
>> 3. https://github.com/linux-pam/linux-pam/issues/45 |
35 |
>> 4. https://github.com/besser82/libxcrypt/pull/150 |
36 |
>> |
37 |
>> tl;dr, I'm just a bit uncomfortable adopting a new hashing algo just because |
38 |
>> it seems popular. I would prefer something that's been thoroughly tested. |
39 |
>> The scant info I've found thus far, that points to argon2, not yescrypt. |
40 |
> |
41 |
> There's justification for this in one of the references in zlogene's |
42 |
> original mail: |
43 |
> |
44 |
> https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description |
45 |
> |
46 |
|
47 |
Yeah, I did read that bit, but it still feels like it is written as |
48 |
someone's opinion rather than as an objective comparison. It also states |
49 |
that yescrypt is "based on NIST-approved primitives", whereas argon2 is |
50 |
based on Blake2 (which I assume is not NIST-approved" at this time). But |
51 |
just because something uses a NIST-approved mechanism does not mean it |
52 |
inherits that approval, so that argument doesn't completely convince me. |
53 |
|
54 |
-- |
55 |
Joshua Kinard |
56 |
Gentoo/MIPS |
57 |
kumba@g.o |
58 |
rsa6144/5C63F4E3F5C6C943 2015-04-27 |
59 |
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 |
60 |
|
61 |
"The past tempts us, the present confuses us, the future frightens us. And |
62 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
63 |
|
64 |
--Emperor Turhan, Centauri Republic |