Description:
------------
Since version 5.5.0, PHP has a nice and secure password hashing API. Since developers have difficulties to handle more classical cryptographic API [1] and tends to favor functionalities over security even for password storage [2], the use of PHP's API should be highly recommended and accessible to anyone.

Unfortunately, I believe the current API does not support any password hashing function compatible with one of most famous security requirements guidelines: the NIST Special Publication 800-63B [3]. Although the basic requirements for the functions are met (accepting a password, a salt and a cost factor), there is a problem regarding the underlying hash function.

The SP 800-63B requires this hashing functions to be one of:
 - HMAC (FIPS 198-1) using an other approved hash function
 - Any SP 800-107 [4] approved hash functions (SHA-1 and the SHA-2 family)
 - SHA-3 (FIPS 202)
 - CMAC (SP 800-38B)
 - Keccak Message Authentication Code (KMAC)
 - Customizable SHAKE (cSHAKE)
 - ParallelHash (SP 800-185)

Currently, this API supports two hashing algorithms: Bcrypt and Argon2 (variants i and id). Unfortunately, Bcrypt is based on Blowfish and Argon2 uses Blake2b. As far as I know, none of those hashing methods are approved by the NIST and therefore Bcrypt and Argon2 are incompatible with the SP 800-63B.

I believe this incompatibility forces developers to implement their own and potentially insecure password hashing methods instead of using the secure PHP password hashing API. This may be one of the causes of framework using outdated and/or insecure password hashing methods [5]. Therefore, I suggest that PHP should support a new hashing function that is compatible with the SP 800-63B.

Based on the most recent study I found [6], I would suggest two candidates: Yescrypt and Balloon.

Yescrypt [7] is built upon Scrypt and is based ontherefore uses PBKDF2-HMAC-SHA256, which is explicitly approved by the NIST. It also has the advantage to be implemented in libxcrypt and therefore uses, just like Bcrypt does, a simple cost factor parameter. It is also used in PAM and Shadow. Its main disadvantage is the implementation complexity.

Balloon [8] is explicitly cited in the SP 800-63B as an approved derivation function, the only compatibility requirement would be to chose an approved underlying hash function. Like Argon2, it does not have simple cost factor and therefore the multiple parameters should be used. Because of this, the underlying hash function could be specified as a parameter. Its main advantage is the implementation simplicity, although the original specification does not well defines some steps.


[1]: Wijayarathna, and al., 2018 https://dl.acm.org/doi/abs/10.1145/3210459.3210483
[2]: Naiakshina, and al., 2017 https://dl.acm.org/doi/abs/10.1145/3133956.3134082
[3]: https://csrc.nist.gov/publications/detail/sp/800-63b/final
[4]: https://csrc.nist.gov/publications/detail/sp/800-107/rev-1/final
[5]: Ntantogian, and al., 2019 https://www.sciencedirect.com/science/article/pii/S0167404818308332
[6]: Hatzivasilis, 2017 https://doi.org/10.3390/cryptography1020010
[7]: https://www.openwall.com/yescrypt/
[8]: https://crypto.stanford.edu/balloon/