|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81326 Support a NIST SP 800-63B compatible password hash algorithm
Submitted: 2021-08-03 13:32 UTC Modified: 2021-08-10 15:16 UTC
From: php dot bugs at what dot tf Assigned:
Status: Suspended Package: *Encryption and hash functions
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
31 - 26 = ?
Subscribe to this entry?

 [2021-08-03 13:32 UTC] php dot bugs at what dot tf
Since version 5.5.0, PHP has a nice and secure password hashing API. Since developers have difficulties to handle more classical cryptographic API [1] and tends to favor functionalities over security even for password storage [2], the use of PHP's API should be highly recommended and accessible to anyone.

Unfortunately, I believe the current API does not support any password hashing function compatible with one of most famous security requirements guidelines: the NIST Special Publication 800-63B [3]. Although the basic requirements for the functions are met (accepting a password, a salt and a cost factor), there is a problem regarding the underlying hash function.

The SP 800-63B requires this hashing functions to be one of:
 - HMAC (FIPS 198-1) using an other approved hash function
 - Any SP 800-107 [4] approved hash functions (SHA-1 and the SHA-2 family)
 - SHA-3 (FIPS 202)
 - CMAC (SP 800-38B)
 - Keccak Message Authentication Code (KMAC)
 - Customizable SHAKE (cSHAKE)
 - ParallelHash (SP 800-185)

Currently, this API supports two hashing algorithms: Bcrypt and Argon2 (variants i and id). Unfortunately, Bcrypt is based on Blowfish and Argon2 uses Blake2b. As far as I know, none of those hashing methods are approved by the NIST and therefore Bcrypt and Argon2 are incompatible with the SP 800-63B.

I believe this incompatibility forces developers to implement their own and potentially insecure password hashing methods instead of using the secure PHP password hashing API. This may be one of the causes of framework using outdated and/or insecure password hashing methods [5]. Therefore, I suggest that PHP should support a new hashing function that is compatible with the SP 800-63B.

Based on the most recent study I found [6], I would suggest two candidates: Yescrypt and Balloon.

Yescrypt [7] is built upon Scrypt and is based ontherefore uses PBKDF2-HMAC-SHA256, which is explicitly approved by the NIST. It also has the advantage to be implemented in libxcrypt and therefore uses, just like Bcrypt does, a simple cost factor parameter. It is also used in PAM and Shadow. Its main disadvantage is the implementation complexity.

Balloon [8] is explicitly cited in the SP 800-63B as an approved derivation function, the only compatibility requirement would be to chose an approved underlying hash function. Like Argon2, it does not have simple cost factor and therefore the multiple parameters should be used. Because of this, the underlying hash function could be specified as a parameter. Its main advantage is the implementation simplicity, although the original specification does not well defines some steps.

[1]: Wijayarathna, and al., 2018
[2]: Naiakshina, and al., 2017
[5]: Ntantogian, and al., 2019
[6]: Hatzivasilis, 2017


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-03 17:51 UTC]
-Status: Open +Status: Suspended
 [2021-08-03 17:51 UTC]
Adopting a new password hashing algorithm will entail some degree of debate, which means the subject should be discussed on the internals mailing list rather than this simple bug tracker.

If you encounter anyone who thinks that the password functions are not good enough and believe they must therefore implement some more desirable algorithm on their own, please point them to the hash extension instead.
 [2021-08-10 15:16 UTC]
I expect that hash_pbkdf2() with a suitable hash function is compliant.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 09 08:03:35 2021 UTC