I've got a question regarding Argon2 in KeePass 2.35.
I notice the various options:
Iterations
Memory
Parallelism
I think I understand what the iterations are (the number of times the key is spun) but I'm unclear on 'Memory' and 'Parallelism'.
If I choose a higher memory setting does that mean it'll force the host system to use that amount of memory? What happens if the system doesn't have that much? I assume it'll slow password cracking down until it has used the specified amount of memory?
When I increase parallelism the speed increases (i.e. the decryption becomes faster). Does this feature restrict how many processor cores that KeePass is able to use? For example does setting it to 8 mean it can use all 8 cores? Why would you want to use all cores if this makes password cracking easier?
So in summary:
Iterations should be as high as possible?
Memory should be as high as possible?
Parallelism should be as low as possible?
What are the minimum/maximum inputs?
What would the most secure (and time consuming) inputs be?
Perhaps having a 'Maximum Security' button would benefit users with high-security requirements?
Thanks again for some excellent software.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Maximize the use of expensive resources (e.g. with memory)
Optimize performance on user equipment (e.g. with parallelism)
Adjust the total amount of work to a reasonable amount (e.g. with iterations)
All of the parameters should be chosen so as not to adversely affect the user's computer (e.g. on the user's least capable machine, take less than 1 sec and not cause any computer stalls, glitches etc.) Parameters such as memory and parallelism should not be maximized to such an extent that they interfere with the normal operation of the user's computer.
Last edit: wellread1 2017-01-10
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When I increase parallelism the speed increases (i.e. the decryption becomes faster).
Generation of the encryption key needed to decrypt becomes faster on the user's machine. However, the amount of work that the attacker must perform to generate each potential encryption key is constant. The attacker is always free to trade resources (parrallelism) for time.
Why would you want to use all cores if this makes password cracking easier?"
It doesn't make password cracking easier. The attacker still has to do all the work needed to generate each potential encryption key.
The advantage of increasing parallelism on the user's computer is that it allows the user to do more work in less time, e.g. if the user has a one second time budget in which to generate the encryption key, they can increase the amount of work needed to generate the key without exceeding the one second budget by increasing parallelism.
The disadvantage of using all cores on the user's machine is that it might create resource contention on the user's machine. Slow downs caused by resource contention are unrelated to the absolute amount of work required to generate the encryption key. Setting parallelism too high could penalize the user but not the attacker.
Last edit: wellread1 2017-01-11
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
set the iterations to a very high (but tolerable) level to slow down an attacker
set the memory use to a very high (but tolerable) level to slow down an attacker
increase parallelism to a tolerable level (to avoid slowing my system during decryption) because an attacker can decide on how many systems (or ASICs) he uses to try and crack my password. Therefore an attacker can change the parallelism - he can't change the iterations or memory?
So in other words increasing iterations and memory increase my security but parallelism relates to how much of my system resouces I use when decoding the database?
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Memory allows you to specify a type of work that is significantly more expensive to the attacker because it can't be efficiently emulated on hardware that is optimized for previous cryptograhic hashing algorithms, e.g. SHA256. It may be significantly more expensive in absolute terms because it requires a large amount of a new resource (i.e. memory).
Iterations allows you to maximize the amount work that is required after you have selected an amount of memory based work that won't adversely affect your system.
Parallelism also allows you to increase security by allowing you to further maximize the amount of work (e.g. memory or iterations based).
By fine tuning all three parameters you can specify an amount of work, using resources available to you, that stays within your time budget, but is hard for an attacker to accelerate using economical hardware.
When you set your parameters, keep in mind the capabilities of the least capable hardware that you expect to open the database on. Database encryption settings (e.g. memory requirements) that would be fine on a high performance desktop might bring a phone to its knees. As far as I know, the phone would still be able to open the database, but it may be forced to make time-resource trade-offs that would result in unacceptable database opening times (perhaps so long that you would be effectively locked out). Testing is needed to determine settings that will work on all target hardware.
Last edit: wellread1 2017-01-11
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I only ever access KeePass on a fast computer so the simple advice is to increase all the settings to their maximum as this will cause the most inconvenience to an attacker.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You probably can't maximize all parameters or you will lock yourself out. You should maximize within a reasonable time budget (e.g. 1 second) and also avoid adverse system artifacts. A one second time budget is somewhat arbitrary. However, once you exceed one second (a perceptable amount of time) it is more effective to increase master password strength.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Decide on your target time budget. This is the time it will take for KeePass to complete the key transformations needed to calculate the encryption key from your Master Key. A time budget of 0.5 or 1 seconds is reasonable target.
Create, Save, Close and Re-open a new empty database for testing
Open File>Database Settings...>Security(tab). Select Argon2 for the key transformations.
Keep the initial settings
Iterations = 2
Memory = 1MB
Parallelism = 2
Press the Test button. A dialog will appear that displays the time required to complete the key transformations (e.g. 0.005 seconds)
Increase the Memory parameter to reach your target time and press the Test button again. Repeat until you reach your target time.
For example: Assuming your target time is 0.5 seconds and the test dialog reported that 0.005 seconds were required to complete the key transformations using initial settings. You might reach your target time by increasing the memory parameter from 1MB to ~100-200MB.
Once you have reached your target time by increasing the memory parameter, increase the parallelism parameter and press Test
Try doubling parallelism. You should see the time required to complete the key transformations drop significantly. If it doesn't drop significantly, or your observe other problems, revert to the previous setting.
Once you have optimized parallelism, repeat step 6 to reach you target time again.
Once you have reached your target time by increasing memory, you may wish to drop iterations to 1. Again you should observe a significant drop in the time required to complete the key transformations. Repeat step 6 to reach your target time.
Once you reach you target time for the final time, you are done.
Having optimized settings for the test database on your computer you can transfer them to your working database. You should observe similar key transformation times in your working database. Procedure:
IMPORTANT Make a backup copy of your working database before you change the database settings. I recommend that you archive this copy and keep it in a safe place until you are confident that the new database settings meet your requirements.
Open your working database.
Open File>Database Settings...>Security(tab). Select Argon2 for the key transformations.
Transfer the settings that you established for your test database to the working database. Press the test button to verify the expected target time. Make any final adjustments. When you are satisfied, save the database with the new settings.
Note: Since you are optimizing database settings on a high performance machine, the database is likely to be slow to open on lower performing machines. If you plan to regularly open the database on lower performing machines, reduce the parameters (e.g. memory and parallelism) to be compatible with the low performing hardware and reduce your target time accordingly.
👍
1
Last edit: wellread1 2017-01-12
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
wellread, your procedure may be OK for single PC use but is likely to be problematic if you use the database on portable devices.
Why do you suggest dropping iterations to 1?
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think the principle being exploited by Argon2 is that accessing memory is comparatively slow, and that it is expensive if not impossible to significantly accelerate bus and or memory performance relative to what is commonly found in user computers. Iterating over a smaller amount of memory is good, but does not pose quite the same barrier that requiring an optimized computer architecture with a large amount of extreme high performance memory would.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Many hash functions in use today e.g. SHA-256 can be optimized for speed using relatively inexpensive hardware with little or no memory. The result is that the work factors (e.g. key transformation) set on PCs, though still effective, may be less effective than they might otherwise be.
The Argon2 algorithm requires a configurable, but considerable amount of memory to perform its operations. It takes quite a bit of time to perform these memory operations. These operations are believed to be much harder to optimize, at least currently. The result is that attacker has to invest in a lot of memory, and his ability to reduce calculation time relative to a PC is significantly reduced.
Last edit: wellread1 2017-05-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear Dominik, the developer, you may be interested to know Internet-Draft recommends using hybrid Argon2id implementation except when there are reasons to prefer one of the other two modes (2d or 2i).
Last edit: PassionateUser 2017-11-03
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dominik, of course, not Daniel, sorry about addressing the developer in a wrong name.
Yes, I am aware why he chose Argon2d since it was me he replied to in the mentioned thread.
Thing is there were two modes (2d and 2i) by that time, and now hybrid one (2id) is possible.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've got a question regarding Argon2 in KeePass 2.35.
I notice the various options:
I think I understand what the iterations are (the number of times the key is spun) but I'm unclear on 'Memory' and 'Parallelism'.
So in summary:
What are the minimum/maximum inputs?
What would the most secure (and time consuming) inputs be?
Perhaps having a 'Maximum Security' button would benefit users with high-security requirements?
Thanks again for some excellent software.
I would like to know that too.
Last edit: Sourceforge User 1337 2017-01-10
See the second and subsequent posts in the KDBX 4 thread.
https://sourceforge.net/p/keepass/discussion/329220/thread/acfd14b1/?limit=250#711f
cheers, Paul
I had a look at that before posting my questions but it doesn't really answer them:
My read of the Argon2 paper section 6.4 is that you want to:
All of the parameters should be chosen so as not to adversely affect the user's computer (e.g. on the user's least capable machine, take less than 1 sec and not cause any computer stalls, glitches etc.) Parameters such as memory and parallelism should not be maximized to such an extent that they interfere with the normal operation of the user's computer.
Last edit: wellread1 2017-01-10
I saw that paper but it begs the questions I posed earlier:
Generation of the encryption key needed to decrypt becomes faster on the user's machine. However, the amount of work that the attacker must perform to generate each potential encryption key is constant. The attacker is always free to trade resources (parrallelism) for time.
It doesn't make password cracking easier. The attacker still has to do all the work needed to generate each potential encryption key.
The advantage of increasing parallelism on the user's computer is that it allows the user to do more work in less time, e.g. if the user has a one second time budget in which to generate the encryption key, they can increase the amount of work needed to generate the key without exceeding the one second budget by increasing parallelism.
The disadvantage of using all cores on the user's machine is that it might create resource contention on the user's machine. Slow downs caused by resource contention are unrelated to the absolute amount of work required to generate the encryption key. Setting parallelism too high could penalize the user but not the attacker.
Last edit: wellread1 2017-01-11
I think I understand now. :)
So ideally you want to:
So in other words increasing iterations and memory increase my security but parallelism relates to how much of my system resouces I use when decoding the database?
Thanks
By fine tuning all three parameters you can specify an amount of work, using resources available to you, that stays within your time budget, but is hard for an attacker to accelerate using economical hardware.
When you set your parameters, keep in mind the capabilities of the least capable hardware that you expect to open the database on. Database encryption settings (e.g. memory requirements) that would be fine on a high performance desktop might bring a phone to its knees. As far as I know, the phone would still be able to open the database, but it may be forced to make time-resource trade-offs that would result in unacceptable database opening times (perhaps so long that you would be effectively locked out). Testing is needed to determine settings that will work on all target hardware.
Last edit: wellread1 2017-01-11
Thank you.
I only ever access KeePass on a fast computer so the simple advice is to increase all the settings to their maximum as this will cause the most inconvenience to an attacker.
You probably can't maximize all parameters or you will lock yourself out. You should maximize within a reasonable time budget (e.g. 1 second) and also avoid adverse system artifacts. A one second time budget is somewhat arbitrary. However, once you exceed one second (a perceptable amount of time) it is more effective to increase master password strength.
Thank you for all your help @wellread1.
There seems to be a bug in the memory input field.
When I enter 2 GB as the memory it it tells me that 2147483647 bytes is the maximum and automatically inserts that instead. Well technically:
2 GB is 2048 MB (2147483648 bytes) (if kilo is 1024) or;
2 GB is 2000 MB (2000000000 bytes) (if kilo is 1000)
If you enter 2048 MB it tells you it can't accept it and changes it to 2147483648. It's the same thing!
Hi...
I have been reading about Argon2....and looked at other posts but I am still a bit confused as to how to set it up..
I have a I7-5960x (8-core) @4.4ghz
I have 32gb Hyperx Memory XMP @3000mhz
What would be the best settings and security...if anyone has a suggestion
Thanks
Suggested optimization procedure:
For example: Assuming your target time is 0.5 seconds and the test dialog reported that 0.005 seconds were required to complete the key transformations using initial settings. You might reach your target time by increasing the memory parameter from 1MB to ~100-200MB.
Try doubling parallelism. You should see the time required to complete the key transformations drop significantly. If it doesn't drop significantly, or your observe other problems, revert to the previous setting.
Having optimized settings for the test database on your computer you can transfer them to your working database. You should observe similar key transformation times in your working database. Procedure:
Note: Since you are optimizing database settings on a high performance machine, the database is likely to be slow to open on lower performing machines. If you plan to regularly open the database on lower performing machines, reduce the parameters (e.g. memory and parallelism) to be compatible with the low performing hardware and reduce your target time accordingly.
Last edit: wellread1 2017-01-12
wellread, your procedure may be OK for single PC use but is likely to be problematic if you use the database on portable devices.
Why do you suggest dropping iterations to 1?
cheers, Paul
I think the principle being exploited by Argon2 is that accessing memory is comparatively slow, and that it is expensive if not impossible to significantly accelerate bus and or memory performance relative to what is commonly found in user computers. Iterating over a smaller amount of memory is good, but does not pose quite the same barrier that requiring an optimized computer architecture with a large amount of extreme high performance memory would.
Which settings are better for security (time value is identical)?
All other things being equal, using more memory resource is better.
I don't understand all the maths in the Argon2 paper :(
Why does more memory mean more time — what does the extra memory do?
Many hash functions in use today e.g. SHA-256 can be optimized for speed using relatively inexpensive hardware with little or no memory. The result is that the work factors (e.g. key transformation) set on PCs, though still effective, may be less effective than they might otherwise be.
The Argon2 algorithm requires a configurable, but considerable amount of memory to perform its operations. It takes quite a bit of time to perform these memory operations. These operations are believed to be much harder to optimize, at least currently. The result is that attacker has to invest in a lot of memory, and his ability to reduce calculation time relative to a PC is significantly reduced.
Last edit: wellread1 2017-05-24
Thank you for the explanation.
Last edit: Paddy Landau 2017-05-24
Dear Dominik, the developer, you may be interested to know Internet-Draft recommends using hybrid Argon2id implementation except when there are reasons to prefer one of the other two modes (2d or 2i).
Last edit: PassionateUser 2017-11-03
I am not sure who you are addressing your post to, but the KeePass developer selected Argon2d for the reasons he described in the post: https://sourceforge.net/p/keepass/discussion/329220/thread/acfd14b1/#527c
Dominik, of course, not Daniel, sorry about addressing the developer in a wrong name.
Yes, I am aware why he chose Argon2d since it was me he replied to in the mentioned thread.
Thing is there were two modes (2d and 2i) by that time, and now hybrid one (2id) is possible.