Title: Implementing Argon2i in PHP Post by: Accardo on November 30, 2022, 07:48:04 AM Happily, the winner of the Password hashing competition argon2 got supported by PHP 7.2 some years back. Programs coded with PHP can attach the codes to argon2i password hashing into their app or program.
With the unreliability of Bcrypt and PBKDF2, Argon2id (with hard memory function) was created to tackle trade-off attacks and side-channel attacks. However, Argon2i PHP code is in this thread, mainly used for password hashing and password-based key derivation, as it uses data-independent memory access. Argon2 with the use of predefined memory size, CPU time, and a degree of parallelism, protects against brute-force attack and GPU attacks. Note: Argon2i and Argon2d have different functions, the last named is mainly for cryptocurrency-related projects and back-end servers that don't require side-channel timing attacks. While Argon2id is a combination of both, people who know what they need can go for one with the feature they want. Argon2 Features Performance: Argon2 rapidly occupies Memory, thereby, souring the area multiplier in the time area for ASIC equipped adversaries. Though Argon2i data independent version durably fills the memory spending within 2 CPU cycles per bytes, Argon2d is three times as fast. Trade off Resilience: Regardless of fast performance, Argon2 is designed to deliver a suitable level of Trade of Resilience. Scalability: Argon2 possesses scalability both in time and memory dimensions. Parallelism: Argon2 may utilize up to 2^22 threads in parallel. GPU/ FPGA/ ASIC Unfriendly: Argon2 is specially optimized for *86 architecture to enable cheaper or faster implementation on dedicated cracking hardware. Additional Input Support: Argon2 is Additional input compatible, which is syntactically set apart from the message and nonce like, environmental parameter, secret key, user data etc. Running OF ARGON2i in PHP. Code: The implemented algorithm in PHP is Argon2i (v1.3), and it can be provided via the $algo parameter to the password_hash() function. The signature of password_hash() is as follows: With the usage of Argon2 attackers won't be able to access users passwords after penetrating a given site. https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf https://medium.com/analytics-vidhya/password-hashing-pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e https://framework.zend.com/blog/2017-08-17-php72-argon2-hash-password.html |