++ed by:

1 non-PAUSE user.

Leon Timmermans

NAME

Crypt::Argon2 - Perl interface to the Argon2 key derivation functions

VERSION

version 0.002

SYNOPSIS

 use Crypt::Argon2 qw/argon2i_pass argon2i_verify/;

 sub add_pass {
   my ($user, $password) = @_;
   my $salt = get_random(16);
   my $encoded = argon2i_pass($password, $salt, 3, '32M', 1, 16):
   store_password($user, $encoded);
 }

 sub check_password {
   my ($user, $password) = @_;
   my $encoded = fetch_encoded($user);
   return argon2i_verify($encoded, $password);
 }

DESCRIPTION

This module implements the Argon2 key derivation function, which is suitable to convert any password into a cryptographic key. This is most often used to for secure storage of passwords but can also be used to derive a encryption key from a password. It offers variable time and memory costs as well as output size.

FUNCTIONS

argon2i_pass($password, $salt, $t_cost, $m_factor, $parallelism, $tag_size)

This function processes the $password with the given $salt and parameters. It encodes the resulting tag and the parameters as a password string (e.g. $argon2i$v=19$m=65536,t=2,p=1$c29tZXNhbHQ$wWKIMhR9lyDFvRz9YTZweHKfbftvj+qf+YFY4NeBbtA).

  • $password

    This is the password that is to be turned into a cryptographic key.

  • $salt

    This is the salt that is used. It must be long enough to be unique.

  • $t_cost

    This is the time-cost factor, typically a small integer that can be derived as explained above.

  • $m_factor

    This is the memory costs factor. This must be given as a integer followed by an order of magnitude (k, M or G for kilobytes, megabytes or gigabytes respectively), e.g. '64M'.

  • $parallelism

    This is the number of threads that are used in computing it.

  • $tag_size

    This is the size of the raw result in bytes. Typical values are 16 or 32.

argon2i_verify($encoded, $password)

This verifies that the $password matches $encoded. All parameters and the tag value are extracted from $encoded, so no further arguments are necessary.

argon2i_raw($password, $salt, $t_cost, $m_factor, $parallelism, $tag_size)

This function processes the $password with the given $salt and parameters much like argon2i_pass, but returns the binary tag instead of a formatted string.

argon2d_raw($password, $salt, $t_cost, $m_factor, $parallelism, $tag_size)

This function processes the $password with the given $salt and parameters much like argon2i_pass, but returns a binary tag for argon2d instead of a formatted string for argon2i.

RECOMMENDED SETTINGS

The Argon2 paper recommends the following procedure to find settings.

1. Select the type y. If you do not know the difference between them or you consider side-channel attacks as viable threat, choose Argon2i.
2. Figure out the maximum number of threads h that can be initiated by each call to Argon2. This is the parallelism argument.
3. Figure out the maximum amount of memory m that each call can a afford.
4. Figure out the maximum amount x of time (in seconds) that each call can a afford.
5. Select the salt length. 16 bytes is suffient for all applications, but can be reduced to 8 bytes in the case of space constraints.
6. Select the tag (output) size. 16 bytes is suffient for most applications, including key derivation.
7. Run the scheme of type y, memory m and h lanes and threads, using different number of passes t. Figure out the maximum t such that the running time does not exceed x. If it exceeds x even for t = 1, reduce m accordingly.
8. Hash all the passwords with the just determined values m, h, and t.

ACKNOWLEDGEMENTS

This module is based on the reference implementation as can be found at https://github.com/P-H-C/phc-winner-argon2.

SEE ALSO

You will also need a good source of randomness to generate good salts. Some possible solutions include:

  • Net::SSLeay

    Its RAND_bytes function is OpenSSL's pseudo-randomness source.

  • Crypt::URandom

    A minimalistic abstraction around OS-provided non-blocking (pseudo-)randomness.

Implementations of other similar algorithms include:

  • Crypt::ScryptKDF

    An implementation of scrypt, a older scheme that also tries to be memory hard.

  • Crypt::Eksblowfish::Bcrypt

    An implementation of bcrypt, a battle-tested algortihm that tries to be CPU but not particularly memory intensive.

AUTHOR

Leon Timmermans <leont@cpan.org>

COPYRIGHT AND LICENSE

Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves, Thomas Pornin and Leon Timmermans has dedicated the work to the Commons by waiving all of his or her rights to the work worldwide under copyright law and all related or neighboring legal rights he or she had in the work, to the extent allowable by law.

Works under CC0 do not require attribution. When citing the work, you should not imply endorsement by the author.