PHP7 中的 Argon2i - 选择合适的选项
Argon2i in PHP7 - Picking Appropriate Options
我应该使用什么值来生成 Argon2i 哈希值以及如何找到我的硬件可以承受的适当设置?
即:
memory_cost
time_cost
threads
如:
$options = [
'memory_cost' => 1<<17,
'time_cost' => 4,
'threads' => 3,
];
$hash = password_hash('test', PASSWORD_ARGON2I, $options);
有 a simple script in PHP docs 用于查找 bcrypt 哈希的适当成本值。这如何适用于 Argon2?
发件人:PHP RFC Argon2 password_hash
成本因素
发件人:
Due to the variety of platforms PHP runs on, the cost factors are deliberately set low as to not accidentally exhaust system resources on shared or low resource systems when using the default cost parameters. Consequently, users should adjust the cost factors to match the system they're working on. The following list outlines hashing performance on various systems using these default cost values.
Common Cloud Server 512 MB, 1 Core: 3-5 ms
Common Cloud Server 2 GB, 2 Core, 1-3 ms
512 MB Raspberry Pi Zero: 75-85ms
As Argon2 doesn't have any “bad” values, however consuming more resources is considered better than consuming less. Users are encouraged to adjust the cost factors for the platform they're developing for.
线程
发件人:What Is The Recommended Number Of Iterations For Argon2
The argon2 paper gives the following procedure (paraphrased) for determining the parameters you should use:
- Figure out how many threads you can use, choose $h$ accordingly.
- Figure out how much memory you can use, choose $m$ accordingly.
- Decide on the maximum time $x$ you can spend on it, choose the largest $t$ such that it takes less than $x$ with your system and other parameter choices.
I.e. they recommend you run it on your system and decide the largest parameters that match your limits on memory and processor time use.
来自 Argon 2 规范
Degree of parallelism p determines how many independent (but synchronizing) computational chains can be run. It may take any integer value from 1 to 2^24 -1
Memory size m can be any integer number of kilobytes from 8p to 2^32
−1. The actual number of blocks is m′, which is m rounded down to the nearest multiple of 4p.
Number of iterations t (used to tune the running time independently of the memory size) can be any integer number from 1 to 2^32 -1
更多文献
Figure out how many threads can be used on each call to Argon2 (parallelism). They recommend twice as many as the number of cores dedicated to hashing passwords.
Figure out how long each call can take. One recommendation for concurent user logins is to keep it under 0.5ms.
Measure the time for hashing using your chosen parameters. Find a time_cost that is within your accounted time. If time_cost=1 takes too long, lower memory_cost.
结论:
因此,从上面的摘录来看,您似乎想要以 0.5ms 的时间跨度作为 PHP microtime 测量的目标,就像在 BCrypt 示例中一样。
然后你可以将 threads 的数量设置为你的 CPU 是 运行ning 的内核数量的两倍,所以对于 4core 处理器来说是 8。
然后您应该能够 运行 使用上述两个值进行一系列测试,以找到 memory_cost 的第三个有效值。
运行 在您的服务器上进行一些测试,以查看服务器可以轻松管理的内容。
探索 if this CLI 可以提供帮助。
按照上面引用的顺序更改三个变量(在Threads下),因此使用大迭代调整内存计数。
简而言之,我们无法为您提供 "best advice" 指南,因为这取决于规格。您打算 运行 在...
我应该使用什么值来生成 Argon2i 哈希值以及如何找到我的硬件可以承受的适当设置?
即:
memory_cost
time_cost
threads
如:
$options = [
'memory_cost' => 1<<17,
'time_cost' => 4,
'threads' => 3,
];
$hash = password_hash('test', PASSWORD_ARGON2I, $options);
有 a simple script in PHP docs 用于查找 bcrypt 哈希的适当成本值。这如何适用于 Argon2?
发件人:PHP RFC Argon2 password_hash
成本因素
发件人:
Due to the variety of platforms PHP runs on, the cost factors are deliberately set low as to not accidentally exhaust system resources on shared or low resource systems when using the default cost parameters. Consequently, users should adjust the cost factors to match the system they're working on. The following list outlines hashing performance on various systems using these default cost values.
Common Cloud Server 512 MB, 1 Core: 3-5 ms Common Cloud Server 2 GB, 2 Core, 1-3 ms 512 MB Raspberry Pi Zero: 75-85msAs Argon2 doesn't have any “bad” values, however consuming more resources is considered better than consuming less. Users are encouraged to adjust the cost factors for the platform they're developing for.
线程
发件人:What Is The Recommended Number Of Iterations For Argon2
The argon2 paper gives the following procedure (paraphrased) for determining the parameters you should use:
- Figure out how many threads you can use, choose $h$ accordingly.
- Figure out how much memory you can use, choose $m$ accordingly.
- Decide on the maximum time $x$ you can spend on it, choose the largest $t$ such that it takes less than $x$ with your system and other parameter choices.
I.e. they recommend you run it on your system and decide the largest parameters that match your limits on memory and processor time use.
来自 Argon 2 规范
Degree of parallelism
pdetermines how many independent (but synchronizing) computational chains can be run. It may take any integer value from 1 to 2^24 -1Memory size
mcan be any integer number of kilobytes from8pto 2^32 −1. The actual number of blocks ism′, which ismrounded down to the nearest multiple of4p.Number of iterations
t(used to tune the running time independently of the memory size) can be any integer number from 1 to 2^32 -1
更多文献
Figure out how many threads can be used on each call to Argon2 (parallelism). They recommend twice as many as the number of cores dedicated to hashing passwords.
Figure out how long each call can take. One recommendation for concurent user logins is to keep it under 0.5ms.
Measure the time for hashing using your chosen parameters. Find a time_cost that is within your accounted time. If time_cost=1 takes too long, lower memory_cost.
结论:
因此,从上面的摘录来看,您似乎想要以 0.5ms 的时间跨度作为 PHP microtime 测量的目标,就像在 BCrypt 示例中一样。
然后你可以将 threads 的数量设置为你的 CPU 是 运行ning 的内核数量的两倍,所以对于 4core 处理器来说是 8。
然后您应该能够 运行 使用上述两个值进行一系列测试,以找到 memory_cost 的第三个有效值。
运行 在您的服务器上进行一些测试,以查看服务器可以轻松管理的内容。 探索 if this CLI 可以提供帮助。
按照上面引用的顺序更改三个变量(在Threads下),因此使用大迭代调整内存计数。
简而言之,我们无法为您提供 "best advice" 指南,因为这取决于规格。您打算 运行 在...