Welcome! Log In Create A New Profile

Advanced

[PHP-DEV] [RFC][DISCUSSION] Argon2id in Password Hash

Posted by Charles R. Portwood II 
Charles R. Portwood II
[PHP-DEV] [RFC][DISCUSSION] Argon2id in Password Hash
February 05, 2018 05:10PM
Hello Internals,

I would like to propose adding Argon2id to the password_* functions in PHP
7.3.

An RFC[1] has been prepared which covers implementation details, and some
common questions & concerns that I have anticipated. This RFC also includes
a tested and working implementation[2] to illustrate changes to PHP itself.

The biggest question at this time is how we want to handle versioning of
the Argon2 reference library. The RFC covers this issue in detail and
provides a solution that ensures no BC breakage for existing users.

I look forward to hearing your feedback. Thanks.

[1] https://wiki.php.net/rfc/argon2_password_hash_enhancements
[2]: https://github.com/php/php-src/compare/master...
charlesportwoodii:argon2_password_hash_enhancements?expand=1

---

Charles R. Portwood II
Charles R. Portwood II
[PHP-DEV] Re: [RFC][DISCUSSION] Argon2id in Password Hash
May 22, 2018 06:00PM
On Feb 5, 2018, 9:43 AM -0600, Charles R. Portwood II <[email protected]>, wrote:

> Hello Internals,
>
> I would like to propose adding Argon2id to the password_* functions in PHP 7.3.
>
> An RFC[1] has been prepared which covers implementation details, and some common questions & concerns that I have anticipated. This RFC also includes a tested and working implementation[2] to illustrate changes to PHP itself.
>
> The biggest question at this time is how we want to handle versioning of the Argon2 reference library. The RFC covers this issue in detail and provides a solution that ensures no BC breakage for existing users.
>
> I look forward to hearing your feedback. Thanks.
>
> [1] https://wiki.php.net/rfc/argon2_password_hash_enhancements
> [2]: https://github.com/php/php-src/compare/master...charlesportwoodii:argon2_password_hash_enhancements?expand=1
>
> ---
>
> Charles R. Portwood II

Hello Internals,

I would like to follow up on the RFC to add Argon2id to the password_* functions in PHP 7.3. The discussion itself[1] didn’t seem to gather much attention since it was posted in February, however there has been some discussions[2] in a separate thread inquiring about the status of Argon2 in PHP in general.

I’ve updated the RFC[3] based upon discussions I’ve had with individuals outside of the mailing list. With this update the RFC now recommends forcing an libargon2 version >= 20161029 during configure for the --with-password-argon2 flag, providing password_* with support for both Argon2i and Argon2id.

I would like to target PHP 7.3 with this RFC. Since there haven’t been any major discussion points raised since the RFC is introduced back in February, I would like to offer another an opportunity for additional discussion before I submit this RFC for a vote in the next few weeks.

I look forward to hearing your feedback! Thanks.

[1]: https://externals.io/message/101777
[2]: https://externals.io/message/102041#102042
[3]: https://wiki.php.net/rfc/argon2_password_hash_enhancements

---

Charles R. Portwood II
Sorry, only registered users may post in this forum.

Click here to login