|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #75388 Argon2: Add secret/key
Submitted: 2017-10-16 12:38 UTC Modified: 2018-03-29 15:08 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpdoc at mail dot my1 dot info Assigned: jedisct1 (profile)
Status: Assigned Package: *Encryption and hash functions
PHP Version: Next Minor Version OS: Win8.1 x64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-10-16 12:38 UTC] phpdoc at mail dot my1 dot info
In the input/output section of the argon2 standard, there is a key/secret value

and it is certainly not a bad idea to use that for peppering the passwords for extra security:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-16 14:03 UTC]
-Status: Open +Status: Feedback
 [2017-10-16 14:03 UTC]
What are you asking for PHP to do, exactly? And is it something that can/should be easily handled in userland instead?
 [2017-10-17 09:34 UTC]
@requinix there is a parameter for argon2i ("Secret value K" in the linked document) which PHP does not expose. It *could* be exposed via a password hash option, however I am not qualified to have an opinion on whether it *should* be.

Notably the $salt option for bcrypt was deprecated in 7 because the idea of the password_hash() API is simplicity and providing secure defaults, I don't know if this may fall into the same category of "things the user should not play with as it may make the resulting hashes less secure".

I think what is being asked for is clear, whether it should be done is for people more qualified than me to discuss. I can't see any record if it being discussed as part of the original proposal. It should probably be brought up on internals.
 [2017-10-17 09:55 UTC] phpdoc at mail dot my1 dot info

as daverandom points out, I want to have PHP expose the secret which is a part of argon2.

while while you could work around this by attaching a secret by appending, HMAC, or whatever, you could probably also do argon2 in userland, technically, not that it's a good Idea though and it's nice that we have it in PHP7.2

my point is just if argon2 does have something like this already nicely defined, as part of its own standard, why not use it?

@dave, well the salt is a little bit different than an extra secret.

the salt is most notably a RANDOM piece of data attached to some data before it is thrown into the hash and the salt is essentially visible for everyone who can see thze hash, and is to throw rainbow tables into oblivion. and since a salt is supposed to be random, I think it is not a bad Idea to throw the manual setting of the salt away, because there may certainly people who use the XKCD Random number generator.

a Pepper in contrast is usually a special secret value which is stored not in the database but somewhere else (config file environment, whatever you think is best) and should have a certain complexity to be effective, and its point is to have something that even if an attacker can get the hashes via some database leakages they wont be just getting around and calculating all the passwords, even if these are really ugly ones like 123456 because without the secret, an attacker would be getting nowhere.
 [2017-10-17 16:20 UTC]
-Status: Feedback +Status: Open -Assigned To: +Assigned To: jedisct1
 [2017-10-17 16:20 UTC]
Feedback has been provided, so opening again.

Assigning to Frank, since he implemented the argon2 password hashing for PHP,
and apparently doesn't like non-replaceable keys[1]. Besides, using the secret
key doesn't appear to work with argon2*_hash_encoded().

[1] <>
 [2018-03-29 14:07 UTC] stange at digitalriver dot com
The secret is an important feature with argon2. Other languages expose it.
 [2018-03-29 14:07 UTC] stange at digitalriver dot com
The secret is an important feature with argon2. Other languages expose it.
 [2018-03-29 15:08 UTC]
If you really need this, don't store the salt itself. Generate and store a random `s`, and use `prf(k, s)` as the salt. This is equivalent to adding a secret key to the initial Argon2 state.

A major drawback is the fact that keys cannot be rotated.

A way better approach is to encrypt the hashes. You may also want to add an authentication tag that includes the salt and parameters, to prevent resources starvation if the parameters get modified while still allowing parameter updates.

Authenticated encryption is beyond the scope of a password hashing function. Combining both in a simple way is an API's responsibility.

libsodium 2.x will use the libhydrogen API, but the password hashing API might be backported to the 1.x branch:
 [2018-06-16 16:22 UTC] phpdoc at mail dot my1 dot info
last time I checked, the ability of using arbitrary salts wasnt available for 
PASSWORD_ARGON2I and only for PASSWORD_BCRYPT and even that is deprecated.

and as stange already says it is exposed by other languages and on top of it, it is a part of argon.

why should one go with playing on the salt using a pseudorandom function with both a self made salt and a secret if argon can accept secrets by itself and just use that?

also it's probably more secure than a self-built workaround anyway.
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Jul 19 17:01:25 2018 UTC