如何在Symfony 4中找出对Argon2i的memory_cost,线程和time_cost有用的值? [英] How to find out what values are good for memory_cost, threads and time_cost for Argon2i in Symfony 4?
问题描述
我想将Argon2i用于我的Symfony 4编码器,因为我已经看过多篇有关它比bcrypt或pbkdf2更好的文章.不幸的是,我真的不知道我的系统上的memory_cost,time_cost或线程使用什么值.好的价值观是什么?如何确定自己的价值观?
I want to use Argon2i for my Symfony 4 encoder as I've seen multiple articles about how it's supposedly better than bcrypt or pbkdf2. Unfortunately I don't really know what values to use for the memory_cost, time_cost or threads on my system. What are good values and how can I figure out what my values should be?
推荐答案
什么是好的值?
这是高度主观的,取决于您的服务器. @Martin在此处进行了合理的描述,您可以阅读RFC规范此处.但是总结一下(也许只是根据我读过的数十篇文章分享我的个人观点/最佳答案)-好的"价值观是:
What are good values?
This is HIGHLY subjective based on your server. @Martin has done a reasonbly good description of this here and you can read the RFC specs here. But to summarize (and perhaps share my personal opinion/best answer just based off the dozens of articles I've read) - "good" values are ones that:
-
哈希时间..在正常系统上,哈希值介于0.5毫秒-500毫秒之间(较高的值可提供更高的安全性,但用户体验较慢)或在高度安全的系统上为1秒以上.同样,即使这些数据也是高度主观的,这似乎只是根据我所读的内容达成的普遍共识.您希望散列花费这么长时间的原因是,当黑客尝试破解散列时,每次散列尝试将花费该时间.正常的黑客尝试可能会在几毫秒内发生,因此将其扩展以使其花费更长的时间基本上将使它永远需要破解哈希,因此黑客(希望?)会放弃.
Hash time. Make the hash take somewhere between 0.5ms - 500ms on a normal system (higher values offer more security but slower user experiance) or 1s+ on a high security system. Again even THOSE figures are highly subjective, that just seems to be a general consensus based on what I've read. The reason why you want the hash to take this long is because when a hacker attempts to crack the hash it will take that amount of time per hash attempt. Normal hacking attempts can happen in a few milliseconds so stretching it out so it takes longer will basically make it take forever to crack the hash and therefore the hacker will (hopefully?) give up.
内存.更大的服务器将具有更大的RAM.就个人而言,我会说(在撰写本文时)在具有相当大的RAM和相当好的CPU的服务器上128MB可能是您想要达到的最大值.这个值实际上很大程度上取决于您的Web服务器通常首先使用的内存RAM-您不想在已经消耗了to to RAM的服务器上使用较大的值. Argon2的默认值为1MB.在默认情况下,会找到以下时间
Memory. Bigger servers will have bigger amounts of RAM. Personally at this time I'd say 128MB on a server with a fairly large amount of RAM and a good cpu would probably be the max you would want to go (at the time of this writing), but that's just my opinion. This value really depends a lot on how memory RAM your web server typically uses in the first place - you don't want to use big values on servers that already consume a to of RAM. The default for Argon2 is 1MB. At that default the following times are found
- Common Cloud Server 512 MB,1个核心:3-5毫秒
- Common Cloud Server 2 GB,2核心,1-3毫秒
- 512 MB Raspberry Pi零:75-85ms
线程..基本上,它将占用多少CPU线程.像memory_cost一样,这种情况与服务器的CPU使用率有关.在我的经验中,我采用最大内核数并将其除以一半,这通常是一个很好的数字(如果没有其他问题,请从头开始),但是您需要尝试看看.
Threads. Basically how many threads of CPU it'll take up. Like memory_cost, this kind of revolves around the CPU usage of your server. In my experiance I take the max number of cores and divide it by half and that typically is a good number (if nothing else, to start with), but you need to experiment to see.
时间成本.该值应该最后算出.从1开始,找出所需的memory_cost和threads值,然后按比例放大此值.以我的经验,如果您获得正确的memory_cost和线程数,则该数字不会高于5,但这再次引起了高度争议.
Time Cost. This value should be figured out last. Start with 1, figure out the values you want for memory_cost and threads and then scale this value up. In my experiance if you get memory_cost and threads right this number doesn't get higher than 5, but again this is HIGHLY disputable.
话虽如此(首先是这篇文章的目的),下面的测试旨在帮助您找到适用于您的系统的值.请注意,如果您更改了硬件/OS/Web服务器服务/服务器的一些重大更改,则应始终重做这些计算.同样不要在开发服务器上运行此代码,也不要在生产服务器上设置它们的值,并认为它们将是相同的-您应该在打算在其上使用代码的每个服务器上执行此操作.
That all being said (and the purpose of this post in the first place), the test below is an attempt to help you find values that will work for YOUR system. Note that if you ever change out your hardware/OS/web server service/some major change to your server you should ALWAYS redo these calculations. Also don't run this on your dev server, set the values and think they will be the same on your production server - you should do this on each server you intend to use the code on.
下面是一个简单的测试,只涉及一个树枝文件和一个控制器.然后,它将使用具有指定值的Argon2i执行哈希.将迭代次数设置为大于1将使我们能够计算平均值(也许更准确).最后,它将给出一个差异值,并用简单的红色或绿色标记它,以告诉您结果是什么.
Below is a simple test which just involves a twig file and a controller. It will then execute the hash using Argon2i with the specified values. Setting the iterations to more than 1 will allow us to calculate an average (perhaps more accurate). In the end it will give a difference value and marks it with an easy red or green color in order to tell you what the result is.
树枝:
<form action="{{ path('test') }}" method="post">
<p>
<label for="time_cost">Time Cost:</label>
<input type="text" id="time_cost" name="time_cost" value="{{ last_time_cost }}" />
</p>
<p>
<label for="memory_cost">Memory Cost:</label>
<input type="text" id="memory_cost" name="memory_cost" value="{{ last_memory_cost }}" />
</p>
<p>
<label for="thread_cost">Thread Cost:</label>
<input type="text" id="thread_cost" name="thread_cost" value="{{ last_thread_cost }}" />
</p>
<p>
<label for="iterations">Iterations (how many times to compute the hash):</label>
<input type="text" id="iterations" name="iterations" value="{{ last_iteration }}" />
</p>
<p>
<label for="desired_time">Desired Time in seconds. Normal system: 0.5, High security: 1 (or higher).:</label>
<input type="text" id="desired_time" name="desired_time" value="{{ last_desired_time }}" />
</p>
<p>
<label for="password">Password to hash:</label>
<input type="text" id="password" name="password" value="{{ last_password }}" />
</p>
<button type="submit">Run Test</button>
<div>Average seconds taken (over {{ last_iteration }} iterations): {{ total }}</div>
<div>Ideal seconds taken: {{ last_desired_time }}</div>
<div>Difference: <span style="color:{{ style }}">{{ diff }}</span></div>
</form>
控制器:
/**
** @Route("/test", name="test")
*/
public function test(Request $request)
{
$time_cost = $request->request->get('time_cost');
$memory_cost = $request->request->get('memory_cost');
$thread_cost = $request->request->get('thread_cost');
$desiredTime = $request->request->get('desired_time');
$iterations = $request->request->get('iterations');
$password = $request->request->get('password');
if (empty($memory_cost) || !is_numeric($memory_cost))
$memory_cost = 16384;
if (empty($time_cost) || !is_numeric($time_cost))
$time_cost = 2;
if (empty($thread_cost) || !is_numeric($thread_cost))
$thread_cost = 4;
echo $desiredTime;
if (empty($desiredTime) || (!is_numeric($desiredTime) &&!is_float($desiredTime)))
$desiredTime = 0.25;
if (empty($iterations) || !is_numeric($iterations))
$iterations = 10;
if (empty($password))
$password = 'correct horse battery staple';
$options = [
'memory_cost' => $memory_cost,
'time_cost' => $time_cost,
'threads' => $thread_cost
];
$totalTime = 0;
for($i = 1; $i <= $iterations; $i++)
{
$start = microtime(true);
password_hash($password, PASSWORD_ARGON2I, $options);
$end = microtime(true);
$total = $end - $start;
$totalTime = $totalTime + $total;
}
$diff = $desiredTime - $totalTime / $iterations;
if ($diff > 0 || $diff < -0.50)
$style = 'red';
else
$style = 'green';
return $this->render('index/test.html.twig', array(
'last_thread_cost' => $thread_cost,
'last_time_cost' => $time_cost,
'last_memory_cost' => $memory_cost,
'last_iteration' => $iterations,
'last_desired_time' => $desiredTime,
'last_password' => $password,
'total' => $totalTime / $iterations,
'diff' => $diff,
'style' => $style,
));
}
一旦获得适合您的环境的值,就可以在security.yaml中为编码器设置它们
Once you get values that work for your environment, you can set them for your encoder in security.yaml
security.yaml /app/config/packages/security.yaml
security.yaml /app/config/packages/security.yaml
注意:这是示例值.请勿使用它们(不进行测试),请使用上面的内容找到您的值.
Note: This has example values. DO NOT use them (w/o testing), use above to find YOUR values.
security:
...
encoders:
App\Security\SecurityUser:
algorithm: argon2i
memory_cost: 102400
time_cost: 3
threads: 4
这篇关于如何在Symfony 4中找出对Argon2i的memory_cost,线程和time_cost有用的值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
