Argon2 hashing algorithm for NodeJS server model

JonL · September 18, 2020, 3:43pm

Sha512 is not a security flaw by itself. You could build an acceptable algorithm with it in Wappler. But do you know how to do that? How are you going to select the salt? Is it secure enough? How will you know?

SHA family of functions were never intended to be used as a means to storing password hashes. They were intended for “digests”. To sign things in other words.

You can use a SHA function as a building block for a secure algorithm(i.e. PBKDF2-HMAC)

But on it’s own your application will be less secure than other apps using a key derivation function.

NIST doesn’t recommend using SHA functions to store “secrets”. They recommend Key Derivation Functions which SHA family are not.

Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON].

Argon2, scrypt, bcrypt and old but standardized PBKDF2 are still way better than using any SHA function.

George · September 18, 2020, 6:11pm

That is actually a pretty neat solution! Maybe @patrick should check it out and see if we can better use it like this indeed instead of going the async way.

patrick · September 21, 2020, 11:15am

Instead of editing an existing formatter file you could create a new one, all files in the lib/formatters are being loaded dynamically and that would prevent your file from being overwritten.

An async method would be preferred here since the sync version would block your JavaScript thread and makes your server freeze up for a little moment while the function is executing. To allow async formatters I have to rewrite the expression parser to be async also, that will take some time but is something that I also prefer. (Will be for NodeJS exclusive since the other server models (except .net) do not support async execution)

Philip_J · September 21, 2020, 11:58am

Would you ‘guess’ that it might be a 2020 job?

JonL · September 21, 2020, 1:42pm

Thanks for the tip @patrick.

Indeed. Async will always be preferred.

The app I am building isn’t planning on having too many users at the beginning. Around 1200 users at launch. And as the actual workload is created on hashing and not so much on verifying I am assuming there won’t be so much workload to end in a DoS.

karh · September 22, 2020, 11:26pm

@JonL Your guess is correct. I don’t know how to build an acceptable algorithm. I looked at osme other threads like Better password encryption and honestly, I am confused.

I think my options are:

Use SHA512 Hash for passwords right now and wait for Wappler to implement Argon2 for NodeJs
Use SHA512 Hash for passwords + set up a random salt like so Centralise salt string references and wait for Argon2
Try to replicate what you have done above @JonL - but you are advising to wait

Can you please advice me?

Thank you!

JonL · February 2, 2021, 1:20pm

Sorry @karh I totally missed this post. Are you still blocked here?

karh · February 3, 2021, 11:37am

@JonL Haha yeah, I’ve just gone with the first option… not live yet so advice is welcome!

JonL · February 3, 2021, 11:41am

I could create a module for argon but it would still need a small workaround as I can’t plug into Server Connect Security Provider. Hopefully one day Security Provider can be extended.

On the other side argon2 is trending in the forum lately and people are pushing for a native solution within Wappler.

So maybe it’s coming soon! @george?

Sha-512 is an OK temporary solution of course. But you should eventually migrate to a more secure option like argon2

max_gb · February 3, 2021, 11:46am

It’s one main reason I’ve not converted completely to Node yet

JonL · February 3, 2021, 11:48am

And that’s the reason I haven’t published a module for this tbh. I don’t want to have to maintain something so critical and core like a security feature.

JonL · February 3, 2021, 11:51am

This is actually a very good point. @george we have people on php because of this!

karh · February 3, 2021, 3:01pm

Thanks Jon, will work with this for now and keep my fingers crossed for a native solution in the near future

Notsopro · February 17, 2021, 4:19pm

+1
Following advice from others I’ve kicked off a new application using NodeJS rather than my more comfortable PHP. Luckily this is just a prototype for now but native password hashing in NodeJS is most welcome. Please.

JonL · February 17, 2021, 4:43pm

tenor

max_gb · February 17, 2021, 6:55pm

Please vote for it too!

Teodor · December 9, 2021, 4:18pm

Teodor · December 9, 2021, 4:20pm

Argon2 is now available for NodeJS as well.

Teodor · December 9, 2021, 4:19pm

Teodor · December 11, 2021, 4:00pm

This topic was automatically closed after 47 hours. New replies are no longer allowed.