On 7/25/2022 15:34, John Helmert III wrote:
> On Mon, Jul 25, 2022 at 03:30:08PM -0400, Joshua Kinard wrote:


>> "yescrypt" is an odd name for a hashing algorithm.  I looked it up on
>> Wikipedia, and it just redirects to the 2013 Password Hashing Competition
>> (PHC)[1], in which yescrypt was just a runner-up (along w/ catena, makwa,
>> and lyra2).  The winner was argon2.  So unless something has changed in the
>> last nine years or there is more recent information, wouldn't it make more
>> sense to go with the winner of such a competition (argon2) instead of a
>> runner-up?  I know marecki said Fedora was waiting for an official RFC for
>> argon2, but the wait for that ended almost a year ago in Sept 2021 when
>> RFC9106[2] was released.
>> Some really quick looking around, I'm not finding any substantive
>> discussions on why yescrypt is better than argon2.  It so far seems that it
>> just got implemented in libxcrypt sooner than argon2 did, so that's why
>> there is this sudden push for it.
>> E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend
>> yescrypt instead.  Anyway, it has to be implemented in libcrypt.", but
>> provides no justification for why they recommend yescrypt.  Since we're
>> dealing with a fairly important function for system security, I kinda want
>> something with much more context that presents pros and cons for this
>> algorithm over others, especially argon2.
>> That said, there does appear to be an open pull request on libxcrypt for
>> argon2[4], so maybe that is something to follow to see where it goes?
>> 1. https://en.wikipedia.org/wiki/Password_Hashing_Competition
>> 2. https://datatracker.ietf.org/doc/html/rfc9106
>> 3. https://github.com/linux-pam/linux-pam/issues/45
>> 4. https://github.com/besser82/libxcrypt/pull/150
>> tl;dr, I'm just a bit uncomfortable adopting a new hashing algo just because
>> it seems popular.  I would prefer something that's been thoroughly tested.
>> The scant info I've found thus far, that points to argon2, not yescrypt.
> There's justification for this in one of the references in zlogene's
> original mail:
> https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description

Yeah, I did read that bit, but it still feels like it is written as
someone's opinion rather than as an objective comparison.  It also states
that yescrypt is "based on NIST-approved primitives", whereas argon2 is
based on Blake2 (which I assume is not NIST-approved" at this time).  But
just because something uses a NIST-approved mechanism does not mean it
inherits that approval, so that argument doesn't completely convince me.

Joshua Kinard
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

        --Emperor Turhan, Centauri Republic

Reply via email to