| 1 |
On 7/25/2022 15:34, John Helmert III wrote: |
| 2 |
> On Mon, Jul 25, 2022 at 03:30:08PM -0400, Joshua Kinard wrote: |
| 3 |
|
| 4 |
[snip] |
| 5 |
|
| 6 |
>> |
| 7 |
>> "yescrypt" is an odd name for a hashing algorithm. I looked it up on |
| 8 |
>> Wikipedia, and it just redirects to the 2013 Password Hashing Competition |
| 9 |
>> (PHC)[1], in which yescrypt was just a runner-up (along w/ catena, makwa, |
| 10 |
>> and lyra2). The winner was argon2. So unless something has changed in the |
| 11 |
>> last nine years or there is more recent information, wouldn't it make more |
| 12 |
>> sense to go with the winner of such a competition (argon2) instead of a |
| 13 |
>> runner-up? I know marecki said Fedora was waiting for an official RFC for |
| 14 |
>> argon2, but the wait for that ended almost a year ago in Sept 2021 when |
| 15 |
>> RFC9106[2] was released. |
| 16 |
>> |
| 17 |
>> Some really quick looking around, I'm not finding any substantive |
| 18 |
>> discussions on why yescrypt is better than argon2. It so far seems that it |
| 19 |
>> just got implemented in libxcrypt sooner than argon2 did, so that's why |
| 20 |
>> there is this sudden push for it. |
| 21 |
>> |
| 22 |
>> E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend |
| 23 |
>> yescrypt instead. Anyway, it has to be implemented in libcrypt.", but |
| 24 |
>> provides no justification for why they recommend yescrypt. Since we're |
| 25 |
>> dealing with a fairly important function for system security, I kinda want |
| 26 |
>> something with much more context that presents pros and cons for this |
| 27 |
>> algorithm over others, especially argon2. |
| 28 |
>> |
| 29 |
>> That said, there does appear to be an open pull request on libxcrypt for |
| 30 |
>> argon2[4], so maybe that is something to follow to see where it goes? |
| 31 |
>> |
| 32 |
>> 1. https://en.wikipedia.org/wiki/Password_Hashing_Competition |
| 33 |
>> 2. https://datatracker.ietf.org/doc/html/rfc9106 |
| 34 |
>> 3. https://github.com/linux-pam/linux-pam/issues/45 |
| 35 |
>> 4. https://github.com/besser82/libxcrypt/pull/150 |
| 36 |
>> |
| 37 |
>> tl;dr, I'm just a bit uncomfortable adopting a new hashing algo just because |
| 38 |
>> it seems popular. I would prefer something that's been thoroughly tested. |
| 39 |
>> The scant info I've found thus far, that points to argon2, not yescrypt. |
| 40 |
> |
| 41 |
> There's justification for this in one of the references in zlogene's |
| 42 |
> original mail: |
| 43 |
> |
| 44 |
> https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description |
| 45 |
> |
| 46 |
|
| 47 |
Yeah, I did read that bit, but it still feels like it is written as |
| 48 |
someone's opinion rather than as an objective comparison. It also states |
| 49 |
that yescrypt is "based on NIST-approved primitives", whereas argon2 is |
| 50 |
based on Blake2 (which I assume is not NIST-approved" at this time). But |
| 51 |
just because something uses a NIST-approved mechanism does not mean it |
| 52 |
inherits that approval, so that argument doesn't completely convince me. |
| 53 |
|
| 54 |
-- |
| 55 |
Joshua Kinard |
| 56 |
Gentoo/MIPS |
| 57 |
kumba@g.o |
| 58 |
rsa6144/5C63F4E3F5C6C943 2015-04-27 |
| 59 |
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 |
| 60 |
|
| 61 |
"The past tempts us, the present confuses us, the future frightens us. And |
| 62 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 63 |
|
| 64 |
--Emperor Turhan, Centauri Republic |
Archives