@RobertW I have already made a community pull request for scrypt. for all platforms. It just needs to be reviewed by the Bitwarden team (and possibly revised by me if anything is not ready yet). As for argon2: It is a bit more work compared to scrypt, since it is has to be run as a WASM module. I’ll do some testing on the weekend, and report back, but if someone else wants to look at it feel free.
About running as a pure js library, if you have any significant work time in WASM, then native JS is not feasable. It is about 300x slower. F.e comparing Argon2 in browser and https://argon2id.rabbit-company.com/ with 102400KiB memory, 2 iterations and 3 parallelism takes 408ms on WASM and ~145 seconds in js on my system.
Thank you! Great to know it’s at least getting explored. Hopefully that works out or something similar
Ok, actually it didn’t take until the weekend. Working with webassembly still was a pain but it ended up working:
Argon2 using the WASM module in the browser and desktop, and the native bindings in the CLI. Web extensions are yet untested, they will probably not work at all for now.
Still, this needs quite a lot more work to be in a pull-request ready state. Anyways, here is the link:
Adding my voice here: Bitwarden please implement Argon2 or Scrypt
Great to read this, it will make Bitwarden security a lot stronger and wll get more trust form the audience as well.
Ok, basic implementations for all platforms is working now. I have created a separate thread about argon2 support here:
The Firefox extension Store is still not upgraded to 2023.2.0
On Win11 x64 with the latest firefox, I first tried using ‘login with another device’ which resulted in a blank dialog box, and no ability to access any data even from a right-click on the extension.
Uninstalling the addon, then reinstalling the addon, logging in with the master password made things work correctly.
It now also allows ‘login with another device’ without issue.
Suggest anyone logging in on the first occasion if using argon2id, to first decrypt with the master password.
Please, it is very important to develop other encryption options like AES-GCM
Would love xChaCha20 like NordPass.
Will BitWarden be implementing xChaCha20 in future? @bw-admin
I would be surprised.
When I see how hard it was to get them implement Argon. (which adds significant benefits)
The gain of switching to chacha for small IO like passwords will be negligible IMHO.
Dear community,
I have found several articles on the Internet that make me question the security of the AES-CBC algorithm. Wouldn’t it be better to use the AES-GCM or XChaCha20 algorithm, to be sure to use a currently inviolable algorithm?
- The dangers of AES-CBC
- Bit Flipping Attack on CBC Mode
- Padding oracles and the decline of CBC-mode cipher suites
- Is AES-CBC mode not secure against chosen cipher-text attacks even if the IV is not predictable?
- Why is using a Non-Random IV with CBC Mode a vulnerability?
- AES in CBC Mode Is totally unsecure if no defense is provided for padding oracle attack, right?
- Timing vulnerabilities with CBC-mode symmetric decryption using padding
- AES-CBC bit flipping Attack
The attacks you list either rely on non random IVs (not the case in bitwarden, they are random) or are attacking the malleability of the cipher, which only works if they are not integrity protected. These days bitwarden only uses AES cbc with hmac sha256 integrity protection, so these attacks don’t work either. AES CBC is fine if used correctly and horribly insecure when used incorrectly. So far no vulnerability was found in Bitwarden’s use. By the way AES gcm also has attacks when not used in a very specific way (Why AES-GCM Sucks - Dhole Moments). Chacha20poly1305 is nice, but afaik would require another webassembly module, and given the lack of attacks against aes256cbc-hmacsha256 it’s not too pressing imo.
The XChaCha20 algorithm could be a game changer for Bitwarden and make it one of the most secure password managers, perhaps even from quantum attacks. I understand that the aes256cbc-hmacsha256 solution is a viable solution. Does using AES-CBC with Argon2id further improve the level of security?
Not necessarily. Against symmetric ciphers, such as both AES (in any chaining mode) and ChaCha20, the best published attack (that I know of) is grovers algorithm. And even that doesn’t break the security, it only slightly weakens it. So much so that NIST still considers AES-128 secure for decades. I.e the quantum threat to the symmetric crypto in Bitwarden is just not there (at least with current algorithms).
On the other hand asymmetric crypto (be it RSA or ed25519) could be broken instantly, if quantum computers were to scale to be able to run f.e Shor’s algorithm. While these are not used for your main vault, RSA is used in a few places in Bitwarden, namely: Passwordless login (your master key is transported, encrypted with the requesting device’s public key), Organizations (the organizations symmetric key is encrypted with member’s public keys for each member).
If the asymmetric crypto were to be broken, should an attacker have a full copy of the database (how they would get this is another matter of course) they would instantly gain access to all organization credentials. If the attacker had access to passwordless login requests, even old ones, they would instantly get access to the acccount’s master password hash and master key, which they could use to retreive the new vault, and decrypt it, all without breaking AES.
Now while this sounds scary, quantum computers are just not there yet. Heck, even most protocols, such as TLS (which the entire web runs on) still mostly rely on RSA or ED25519. These would also instantly be broken. When the newer quantum resistant asymmetric crypto schemes get standardized and added to common crypto libraries, at that point I think Bitwarden could migrate to these schemes. (Now is definitely not the time as these new crypto schemes have not been sufficiently tested, such that migrating to them could open your vault to new attack vectors).
Does using AES-CBC with Argon2id further improve the level of security?
Using argon2id instead of PBKDF2 does not help against quantum attacks. It does help making it harder to conduct an offline brute-force on GPUs/ASICs in case your encrypted vault somehow got leaked.
Closing this thread to free up votes as Argon2 support has now been implemented.
For additional encryption suggestions, please break out into specific posts for voting and discussion.