Comments (11)
Could you explain a bit more on what are you trying to achieve?
I have removed the possibility since reusing salts is unsafe and you have all information needed for verification in the hash. I did not expect use cases beyond password hashing, for which you would usually use the default, random salt anyways.
It is very unusual to even hash an ID, so I'd like to understand your reasoning.
from node-argon2.
Sure, in Finland there is such as thing called Social Security ID (SSID). It is a unique identifier for a person living and residing in Finland. Think of it as a passport number. Nearly everywhere you use SSID to sign up for services, one of which is our service that we are developing. It is a way to identify the user.
However, there is an issue. SSIDs are short, they are 11 characters long with a very specific pattern of 6 digits (dash) and 4 numbers and since it's close to like having passport number we are trying to protect our users as much as possible, hence the need for hashing. Yet, another, however, our services only allows customers in that are presented on a certain whitelist to log in. What happens is we have a list of SSIDs (which is quite huge) with each SSID hashed and we want to verify if the SSID given by the user matches the one in the list. We take that input, hash it and use our unique salt and then look if such hash exists in the db. Due to service demand and speed & lack of computational power, we cannot really go through every hashed SSID with random salt one by one to revert the pass in order to verify the information without taking a lot of time. (unless I am terribly mistaken). It takes us roughly 3.5 seconds to hash one SSID (if we hash let's say 10 SSIDs at once it takes roughly from 3.5 to 10 seconds per operation depending on resources available, a middle ground between security and speed in our case).
Hence in order to quickly verify we need salt to be the same.
P.S. While SSIDs are important they are not strictly secret and in order to use one in a malicious intent you will need a bit more info (such as identity card when signing up for service in person or bank credentials that always match the SSID).
I hope I managed to explain the situation well, if anything is unclear please let me know :)
from node-argon2.
I understand what you want, but I would highly recommend against Argon2. It is because Argon2 is designed to be slow and counter against specialized cracking hardware. It is also the reason why random salts are strictly important: you cannot precalculate a rainbow table.
You'd be better with a non-password hash function such as SHA256. It is fast and you can salt by appending a string to the unhashed SSID.
Fun fact: if you use the same salt on every password and don't store on the DB it is called a pepper.
from node-argon2.
Yea, SHA256 crossed our heads here. The decision to try Argon2 was made because it had different configurations such as Argon2i for password protection specifically :) Combine that with a very clean API you @ranisalt made it was a dream to operate on.
Thanks for the pepper link, I am not by any means a security specialist (junior dev here at the company) so it was a nice read!
from node-argon2.
I'm in a slightly different boat, but was also taking advantage of the custom salt. I'm using argon2 as a KDF in order to encrypt data based on a user-supplied password. Loosely speaking, the encryption is:
salt ++ XSalsa20(argon2.hash(password, salt, options), data)
I therefore need to either supply a custom salt (I'd been using argon2.generateSalt
) or somehow retrieve the salt after calling argon2.hash. I was using raw: true
, but now I have to go back to raw: false
and use regex and b64 decode to obtain both the hash value and the salt.
from node-argon2.
The return value of the hash function could be slightly tweaked to have separate data, e.g. hash.salt
gets the salt, hash.version
, hash.memoryCost
, etc. without opening security breaches.
I will have a look on adding more options to the function call and add the salt too.
from node-argon2.
A strong +1
from node-argon2.
@ranisalt Thanks!
from node-argon2.
I am preparing to enable secret and additional data as Argon2 supports but no bindings AFAIK has support.
from node-argon2.
How can I supply a custom salt? I am using it in a blockchain, and we don't care about salt...
With options.salt ?
from node-argon2.
Yes, and it should be a buffer, but if the salt doesn't matter you should use the generator.
from node-argon2.
Related Issues (20)
- How to use secret? HOT 3
- Vulnerable downstream dependency HOT 6
- Hash in .Net and Verify in node.js HOT 6
- Cannot build anymore from yesterday: Cannot find module './**/*' HOT 8
- How to cache the Argon2 binary for CI? HOT 1
- Bun support HOT 1
- how to install with local argon2.node HOT 1
- v0.40.0-alpha.2 raises ts errors HOT 2
- node18.14.0 node-gyp10.0.1 Error message reported during installation of argon2 HOT 2
- How to hash without salt? HOT 2
- Feat request: synchronous version HOT 5
- Crash with docker HOT 2
- `defaults` is no longer exported in v0.40.0 HOT 2
- Mismatching version numbers on github releases and npm (0.40.0 vs 0.40.1) HOT 2
- node-gyp-build error HOT 4
- Doesn't work in the node:20-alpine image docker HOT 24
- Type regression between v0.31.2 and v0.40.1 HOT 5
- ReferenceError: require is not defined HOT 1
- Centos8 error: "symbol lookup error: undefined symbol: argon2_ctx" HOT 1
- Invalid argument on verify method HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-argon2.