Recommend Argon2id over PBKDF2HMAC as KDF#14724
Conversation
Update the recommended PBKDF2HMAC iteration count from 1,200,000 to 1,500,000 to reflect the latest Django recommendations. Closes: pyca#14723
There was a problem hiding this comment.
You'll need to update the text here to match the link
There was a problem hiding this comment.
Okay - should I do that, or just follow your other suggestion and rewrite with Argon2id?
There was a problem hiding this comment.
I'd say let's just rewrite to use argon2id and leave PBKDF2 in the rear view mirror where it belongs.
There was a problem hiding this comment.
Done. I'm new to RST, so I likely made some syntax errors - let me know if I need to make any changes.
In the Fernet documentation, recommend Argon2id as opposed to other KDFs; replace the PBKDF2HMAC example with an Argon2id example; and discuss Argon2id parameter selection.
60x20
left a comment
There was a problem hiding this comment.
I suggest using 2048*1024 rather than 2**21 to make it more human-readable just like it is on the Argon2 docs.
Also the PR title should probably be changed to something like "Recommend Argon2 over PBKDF2 as KDF"
| ... iterations=1_200_000, | ||
| ... iterations=1, | ||
| ... lanes=4, | ||
| ... memory_cost=2**21 |
There was a problem hiding this comment.
| ... memory_cost=2**21 | |
| ... memory_cost=2048*1024 |
Wouldn't it be better if it was in a more human-readable form?
There was a problem hiding this comment.
I'll obviously defer to whoever is in charge here, but the form I used is that of the RFC. I actually don't find either form that readable, since you have to remember that the figure is in KiB, and then mentally convert that into something like MiB or Gib :|
| The :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` parameters | ||
| in the above code example are based on the recommendations of `IRTF RFC 9106`_ | ||
| for general applications. For memory-constrained applications, the RFC | ||
| recommends ``iterations=3`` and ``memory_cost=2**16``. See that document for |
There was a problem hiding this comment.
| recommends ``iterations=3`` and ``memory_cost=2**16``. See that document for | |
| recommends ``iterations=3`` and ``memory_cost=64*1024``. See that document for |
Like the previous suggestion
Co-authored-by: 60x20 <120422100+60x20@users.noreply.github.com>
Co-authored-by: 60x20 <120422100+60x20@users.noreply.github.com>
Co-authored-by: 60x20 <120422100+60x20@users.noreply.github.com>
|
Thank you! |
Update the recommended PBKDF2HMAC iteration count from 1,200,000 to 1,500,000 to reflect the latest Django recommendations.
Closes: #14723