Switch to Argon2

Please do this, or at least scrypt

Maybe that was a reasonable argument in 2018 (though I’d have to see data to be convinced), but no way that is the case in 2020. WASM is in all major browsers now…

Or maybe not switch, but add Argon 2? So that you can choose between the two. I mention this because in the vault settings there’s this menu, but with only 1 choice: Argon2

However, I have no idea how doable is this.

1 Like

Hi All,

As several of you have indicated the strong desire for Argon2 as an option in Bitwarden clients, we have accepted this as requested enhancement. There has also been an update to the related GitHub issue here: https://github.com/bitwarden/jslib/issues/52.

I believe @michaelsmoody has created a fork for this process to get started already and any other collaborators I would encourage to group together on the effort, etc. Please provide any design discussions, decisions and roadblocks so the community and Bitwarden engineering team may assist as necessary. The framework that Kyle has created for KDF was intended to be able to be expanded to support more than a single algorithm.

We will absolutely accept a solid implementation of this feature if all PRs are presented together that meets quality standards and encompasses for each of the Bitwarden clients: Web, Browser, Desktop, CLI, and Mobile. Argon2 may not replace SHA256 as the default but should be an option to be configured by the user. Also, the license for any libraries used may not be GPL based.

Please feel free to post/ask any questions or concerns and thank you again for your support!

5 Likes

My apologies, I’ve been working locally, and haven’t committed to the public repository on my GitHub. With that said, II’ll look into the framework that Kyle created, and I’ll also look into the licensing. Libsodium was what I was working on, in order to provide a multi-platform, well-supported library that supports this and other methods. It is ISC licensed. Is that compatible? Libsodium is of course continually developed, and pretty heavily audited.

Awaiting your replies…

2 Likes

ISC license should be fine, yes. Thanks for checking.

Also, there is inflight implementation of SSO in the works, which includes a new user onboarding flow that may include additional areas of impact, I would recommend keeping your fork up to date and watching any of those PRs that contain the “SSO” keyword.

It wasn’t even a good argument back in 2018. ASICs are 1,000,000x faster than even modern SHA256 hardware accelerated PBKDF2 implementations. They shouldn’t have been focusing on the performance difference between desktop and mobile but any client device and an attacker with custom ASICs.

And Argon2 doesn’t get most of its strength from computation but random memory access. Modern memory is actually slower than PC133 from the '90s in terms of latency. As long as the memory size of Argon2 is configure large enough to overflow cache and force memory access, you’re golden. The concurrency and iterations don’t add nearly as much protection as the memory size.

Even just goolging the topic seems to lead to summaries of actual research and attempts to make Argon2 ASICs that it’s a fools errand and you’re better off buying more cheaper general hardware.

2 Likes

Hope to see this feature implemented soon!

Is there any progress?

1 Like

When will this security feature be added? It doesn’t need to replace SHA-256, but it should certainly be added as an option. Thanks! @cscharf @tgreer @kspearrin

We aren’t working on this internally at the moment, as @michaelsmoody has been leading the charge here.

We appreciate his efforts and time!

On that note, you may be interested in the three new security issues in Bitwarden I reported today. (I’m the person who reported this security issue with the KDF (assigned CVE-2019-19766) almost a year ago, which has not been fixed during that time and apparently still nobody at Bitwarden is working on fixing it.)

Details at: Three Major Bitwarden Security Issues

One of them allows anyone who can breach the Bitwarden infrastructure or release tooling/users the ability to steal every password of every desktop application user, via the no-user-intervention autoupdate mechanism. The web app at vault.bitwarden.com of course already permits such an attack because it’s impossible to protect a webapp’s cryptography code from a server breach (because the code comes from the server itself on each pageload).

All webapps have that issue. Why I almost exclusively use FF/Chrome addon and android app.

The KDF Bitwarden uses is THE industry standard. It is not the best, but it is by no means “insecure”.

I’m not sure how backwards compatible BW is that you could actually use BW without auto-update. All updates are signed and should refuse to install by the OS/browser if not signed. The real question is how robust is the security around their signing system.

1 Like