Argon2
-
This KDF was added in v1.12.0.
-
Argon2 is a key derivation function which won the Password Hashing Competition in 2015. This KDF is recommended as it offers a variety of modes which can be tailored to prevention of GPU attacks, prevention of side-channel attacks, or a combination of both. It allows for a variable output key length.
-
The recommended minimum cost is
memory=216 (65,536) KiB,iterations=5,parallelism=8 (as of 4/22/2020 on commodity hardware). The Argon2 specification paper (PDF) Section 9 describes an algorithm used to determine recommended parameters. These parameters should be increased to the threshold at which legitimate systems will encounter detrimental delays (useArgon2SecureHasherTest#testDefaultCostParamsShouldBeSufficient()to calculate safe minimums). -
The salt format is
$argon2id$v=19$m=65536,t=5,p=8$ABCDEFGHIJKLMNOPQRSTUV. The salt is delimited by$and the four sections are as follows:-
argon2id- the "type" of algorithm (2i,2d,2id). NiFi currently usesargon2idfor all salts generated internally. -
v=19- the version of the algorithm in decimal (0d19=0x13). NiFi currently uses0d19for all salts generated internally. -
m=65536,t=5,p=8- the cost parameters. This contains the memory, iterations, and parallelism in order. -
ABCDEFGHIJKLMNOPQRSTUV- the 12-44 character, Base64-encoded, unpadded, raw salt value. This decodes to a 8-32 byte salt used in the key derivation.
-
