Description
This tells me argon2i is the preferred type for password-based key derivation:
Lines 20 to 22 in a112416
This tells me argon2id is preferred:
argon2-cffi/src/argon2/low_level.py
Lines 57 to 65 in e9f84e4
The argon2 paper appears to recommend argon2i: (emphasis mine):
8 Applications
Argon2d is optimized for settings where the adversary does not get regular access to system memory or CPU,
i.e. he can not run side-channel attacks based on the timing information, nor he can recover the password much
faster using garbage collection [7]. These settings are more typical for backend servers and cryptocurrency
minings. For practice we suggest the following settings:
• Cryptocurrency mining, that takes 0.1 seconds on a 2 Ghz CPU using 1 core — Argon2d with 2 lanes and
250 MB of RAM;
16
• Backend server authentication, that takes 0.5 seconds on a 2 GHz CPU using 4 cores — Argon2d with 8
lanes and 4 GB of RAM.
Argon2i is optimized for more dangerous settings, where the adversary possibly can access the same machine,
use its CPU or mount cold-boot attacks. We use three passes to get rid entirely of the password in the memory.
We suggest the following settings:
• Key derivation for hard-drive encryption, that takes 3 seconds on a 2 GHz CPU using 2 cores — Argon2i
with 4 lanes and 6 GB of RAM;
• Frontend server authentication, that takes 0.5 seconds on a 2 GHz CPU using 2 cores — Argon2i with 4
lanes and 1 GB of RAM.