Argon2 Class

Properties   Methods   Events   Config Settings   Errors  

This class implements Argon2 cryptographic hashing function designed for password hashing and protecting against various types of attacks.

Syntax

ipworksencrypt.Argon2

Remarks

Argon2 is a memory-hard algorithm that can be used for secure key derivation. It supports three different variants of the algorithm.

To create a key using this component, start by setting the required properties:

Optionally, specify the Algorithm variant, KeyLength in bytes, number of Iterations, degree of Parallelism and MemoryCost in kilobytes.

After calling the CreateKey method, the Key will be populated with the derived key.

Note: By default, the component uses the following values which are recommended by RFC 9106: Argon2id variant with 3 iterations, 4 degrees of parallelism, 64 MB of RAM, and 32 byte key length.

Create Key Example

//Create a key using Argon2 component Argon2 argon2 = new Argon2(); argon2.Password = "password"; argon2.Salt = "AAAABBBBCCCCDDDD"; //16 bytes string argon2.UseHex = true; //hex encoded key argon2.CreateKey(); Console.WriteLine(argon2.Key); //outputs the derived key, 32 bytes by default

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

AlgorithmThe variant used to derive the key.
IterationsNumber of iterations to perform.
KeyThe derived key.
KeyLengthThe desired length of the derived key (in bytes).
MemoryCostThe memory usage in kilobytes.
ParallelismThe degree of parallelism.
PasswordThe password from which a derived key is generated.
SaltThe cryptographic salt used during key creation.
UseHexWhether the key is hex encoded.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

ConfigSets or retrieves a configuration setting.
CreateKeyDerives a key from the specified password.
ResetResets the class.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

ErrorFired when information is available about errors during data delivery.

Config Settings

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

AssociatedDataOptional associated data.
SecretOptional secret.
BuildInfoInformation about the product's build.
GUIAvailableWhether or not a message loop is available for processing events.
LicenseInfoInformation about the current license.
MaskSensitiveDataWhether sensitive data is masked in log messages.
UseDaemonThreadsWhether threads created by the class are daemon threads.
UseFIPSCompliantAPITells the class whether or not to use FIPS certified APIs.
UseInternalSecurityAPIWhether or not to use the system security libraries or an internal implementation.

Algorithm Property (Argon2 Class)

The variant used to derive the key.

Syntax

public int getAlgorithm();
public void setAlgorithm(int algorithm);

Enumerated values:
  public final static int aArgon2d = 0;
  public final static int aArgon2i = 1;
  public final static int aArgon2id = 2;

Default Value

2

Remarks

This property specifies which type of algorithm to use. Possible values are:

0 (aArgon2d) Argon2d maximizes resistance to GPU cracking attacks, but is more vulnerable to side-channel attacks.
1 (aArgon2i) Argon2i is optimized to resist side-channel attacks, but it is slower as it makes more passes over the memory to protect from tradeoff attacks.
2 (aArgon2id - Default) Argon2id is a hybrid of Argon2i and Argon2d which provides some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacks.

Iterations Property (Argon2 Class)

Number of iterations to perform.

Syntax

public int getIterations();
public void setIterations(int iterations);

Default Value

3

Remarks

The number of iterations is used to adjust the running time independently of the memory size. Valid values are from 1 to 2^(32)-1.

Key Property (Argon2 Class)

The derived key.

Syntax

public byte[] getKey();

Default Value

""

Remarks

This property holds the derived key. After calling CreateKey this property will be populated.

This property is read-only.

KeyLength Property (Argon2 Class)

The desired length of the derived key (in bytes).

Syntax

public int getKeyLength();
public void setKeyLength(int keyLength);

Default Value

32

Remarks

This property specifies the length of the key (in bytes) which will be created when CreateKey is called. Valid values are from 4 to 2^(32)-1.

MemoryCost Property (Argon2 Class)

The memory usage in kilobytes.

Syntax

public int getMemoryCost();
public void setMemoryCost(int memoryCost);

Default Value

65536

Remarks

This property defines the memory used (in kilobytes) when calling CreateKey.

Parallelism Property (Argon2 Class)

The degree of parallelism.

Syntax

public int getParallelism();
public void setParallelism(int parallelism);

Default Value

4

Remarks

This property specifies the number of lanes used when calling CreateKey.

Password Property (Argon2 Class)

The password from which a derived key is generated.

Syntax

public byte[] getPassword();
public void setPassword(byte[] password);

Default Value

""

Remarks

This property specifies the password from which the derived key is created.

Salt Property (Argon2 Class)

The cryptographic salt used during key creation.

Syntax

public byte[] getSalt();
public void setSalt(byte[] salt);

Default Value

""

Remarks

This property specifies the salt used when CreateKey is called. The salt should be a unique value and should be at least 16 bytes in length.

UseHex Property (Argon2 Class)

Whether the key is hex encoded.

Syntax

public boolean isUseHex();
public void setUseHex(boolean useHex);

Default Value

False

Remarks

This property specifies whether the created Key is hex encoded when calling CreateKey. The default value is false.

Config Method (Argon2 Class)

Sets or retrieves a configuration setting.

Syntax

public String config(String configurationString);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

CreateKey Method (Argon2 Class)

Derives a key from the specified password.

Syntax

public void createKey();

Remarks

This method derives a key from the specified password using Argon2.

The following properties are applicable when calling this method:

This method populates the Key property with the created (derived) key.

Create Key Example

//Create a key using Argon2 component Argon2 argon2 = new Argon2(); argon2.Password = "password"; argon2.Salt = "AAAABBBBCCCCDDDD"; //16 bytes string argon2.UseHex = true; //hex encoded key argon2.CreateKey(); Console.WriteLine(argon2.Key); //outputs the derived key, 32 bytes by default

Reset Method (Argon2 Class)

Resets the class.

Syntax

public void reset();

Remarks

When called, the class will reset all of its properties to their default values.

Error Event (Argon2 Class)

Fired when information is available about errors during data delivery.

Syntax

public class DefaultArgon2EventListener implements Argon2EventListener {
  ...
  public void error(Argon2ErrorEvent e) {}
  ...
}

public class Argon2ErrorEvent {
  public int errorCode;
  public String description;
}

Remarks

The Error event is fired in case of exceptional conditions during message processing. Normally the class throws an exception.

The ErrorCode parameter contains an error code, and the Description parameter contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

Config Settings (Argon2 Class)

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

Argon2 Config Settings

AssociatedData:   Optional associated data.

The associated data parameter, which is used to input any additional data into the hash value. The data specified must be hex encoded. If used, it must have a length not greater than 2^(32)-1 bytes.

Argon2 argon2 = new Argon2(); argon2.Password = "password"; argon2.Salt = "AAAABBBBCCCCDDDD"; argon2.Config("AssociatedData=040404040404040404040404"); //hex encoded value argon2.CreateKey();

Secret:   Optional secret.

The secret parameter, which is used for keyed hashing. This allows a secret key to be input at hashing time into the value of the hash. The data specified must be hex encoded. This means that even if the salts and hashes are compromised, an attacker cannot use brute-force to find the password without the key. If used, it must have a length not greater than 2^(32)-1 bytes.

Argon2 argon2 = new Argon2(); argon2.Password = "password"; argon2.Salt = "AAAABBBBCCCCDDDD"; argon2.Config("Secret=012345012345ABCD"); //hex encoded value argon2.CreateKey();

Base Config Settings

BuildInfo:   Information about the product's build.

When queried, this setting will return a string containing information about the product's build.

GUIAvailable:   Whether or not a message loop is available for processing events.

In a GUI-based application, long-running blocking operations may cause the application to stop responding to input until the operation returns. The class will attempt to discover whether or not the application has a message loop and, if one is discovered, it will process events in that message loop during any such blocking operation.

In some non-GUI applications, an invalid message loop may be discovered that will result in errant behavior. In these cases, setting GUIAvailable to false will ensure that the class does not attempt to process external events.

LicenseInfo:   Information about the current license.

When queried, this setting will return a string containing information about the license this instance of a class is using. It will return the following information:

  • Product: The product the license is for.
  • Product Key: The key the license was generated from.
  • License Source: Where the license was found (e.g., RuntimeLicense, License File).
  • License Type: The type of license installed (e.g., Royalty Free, Single Server).
  • Last Valid Build: The last valid build number for which the license will work.
MaskSensitiveData:   Whether sensitive data is masked in log messages.

In certain circumstances it may be beneficial to mask sensitive data, like passwords, in log messages. Set this to true to mask sensitive data. The default is true.

This setting only works on these classes: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.

UseDaemonThreads:   Whether threads created by the class are daemon threads.

If set to True (default), when the class creates a thread, the thread's Daemon property will be explicitly set to True. When set to False, the class will not set the Daemon property on the created thread. The default value is True.

UseFIPSCompliantAPI:   Tells the class whether or not to use FIPS certified APIs.

When set to true, the class will utilize the underlying operating system's certified APIs. Java editions, regardless of OS, utilize Bouncy Castle Federal Information Processing Standards (FIPS), while all other Windows editions make use of Microsoft security libraries.

The Java edition requires installation of the FIPS-certified Bouncy Castle library regardless of the target operating system. This can be downloaded from https://www.bouncycastle.org/fips-java/. Only the "Provider" library is needed. The jar file should then be installed in a JRE search path.

The following classes must be imported in the application in which the component will be used:

import java.security.Security; import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;

The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:

System.setProperty("org.bouncycastle.fips.approved_only","true"); Security.addProvider(new BouncyCastleFipsProvider());

When UseFIPSCompliantAPI is true, Secure Sockets Layer (SSL)-enabled classes can optionally be configured to use the Transport Layer Security (TLS) Bouncy Castle library. When SSLProvider is set to sslpAutomatic (default) or sslpInternal, an internal TLS implementation is used, but all cryptographic operations are offloaded to the Bouncy Castle FIPS provider to achieve FIPS-compliant operation. If SSLProvider is set to sslpPlatform, the Bouncy Castle JSSE will be used in place of the internal TLS implementation.

To enable the use of the Bouncy Castle JSSE take the following steps in addition to the steps above. Both the Bouncy Castle FIPS provider and the Bouncy Castle JSSE must be configured to use the Bouncy Castle TLS library in FIPS mode. Obtain the Bouncy Castle TLS library from https://www.bouncycastle.org/fips-java/. The jar file should then be installed in a JRE search path.

The following classes must be imported in the application in which the component will be used:

import java.security.Security; import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; //required to use BCJSSE when SSLProvider is set to sslpPlatform import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;

The Bouncy Castle provider must be added as a valid provider and also must be configured to operate in FIPS mode:

System.setProperty("org.bouncycastle.fips.approved_only","true"); Security.addProvider(new BouncyCastleFipsProvider()); //required to use BCJSSE when SSLProvider is set to sslpPlatform Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS")); //optional - configure logging level of BCJSSE Logger.getLogger("org.bouncycastle.jsse").setLevel(java.util.logging.Level.OFF); //configure the class to use BCJSSE component.setSSLProvider(1); //platform component.config("UseFIPSCompliantAPI=true"); Note: TLS 1.3 support requires the Bouncy Castle TLS library version 1.0.14 or later.

FIPS mode can be enabled by setting the UseFIPSCompliantAPI configuration setting to true. This is a static setting that applies to all instances of all classes of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

For more details, please see the FIPS 140-2 Compliance article.

Note: Enabling FIPS compliance requires a special license; please contact sales@nsoftware.com for details.

UseInternalSecurityAPI:   Whether or not to use the system security libraries or an internal implementation.

When set to false, the class will use the system security libraries by default to perform cryptographic functions where applicable.

Setting this configuration setting to true tells the class to use the internal implementation instead of using the system security libraries.

This setting is set to false by default on all platforms.

Trappable Errors (Argon2 Class)

Argon2 Errors

105   An invalid parameter was specified.
108   An invalid key size was specified.
116   Password must be set.
117   An error occurred during hash calculation.
118   An invalid algorithm was specified.