I’m pretty ignorant of encryption algorithms. This article doesn’t seem to mention side-channel or GPU cracking attack resistance, which Argon2 addresses. KeepassXC’s default right now in ChaCha20-Argon2id.
Argon2id is a hybrid version. It follows the Argon2i approach for the first half pass over memory and the Argon2d approach for subsequent passes. RFC 9106 recommends using Argon2id if you do not know the difference between the types or you consider side-channel attacks to be a viable threat.
I’m pretty ignorant of encryption algorithms. This article doesn’t seem to mention side-channel or GPU cracking attack resistance, which Argon2 addresses. KeepassXC’s default right now in ChaCha20-Argon2id.
The key space of a high-entropy 256-bit key is not brute-forceable. Generating a 256-bit key from a lower-entropy string like a passphrase is where you need to be concerned about resisting brute force attacks, but that is orthogonal to the question of how to do encryption using that key.
When KeepassXC says it uses “ChaCha20-Argon2id” i assume this actually means that they are using ChaCha20-Poly1305 with a key derived from the user’s password by Argon2id.
The ChaCha part is the symmetric encryption, while the Poly1305 is for the MAC.
This proposal is, for performance reasons, to replace ChaCha20 with ChaCha12 (which is believed to still provide an adequate amount of security) and to replace the Poly1305 MAC with BLAKE3. The performance gains aren’t particularly relevant for applications like KeepassXC which only needs to encrypt a small amount of data at a time, but as you can see from their benchmarks they’re substantial for applications like TLS where a lot of data needs to be encrypted.
Part of the reason they don’t mention Argon2 here is because in the sort of setting they’re designing for, you don’t typically derive keys from lower-entropy strings like passphrases. But, if you did want to key ChaCha12-BLAKE3 using a passphrase, it would still be a good idea to derive the key using Argon2id!
threaded - newest
I’m pretty ignorant of encryption algorithms. This article doesn’t seem to mention side-channel or GPU cracking attack resistance, which Argon2 addresses. KeepassXC’s default right now in ChaCha20-Argon2id.
The key space of a high-entropy 256-bit key is not brute-forceable. Generating a 256-bit key from a lower-entropy string like a passphrase is where you need to be concerned about resisting brute force attacks, but that is orthogonal to the question of how to do encryption using that key.
When KeepassXC says it uses “ChaCha20-Argon2id” i assume this actually means that they are using ChaCha20-Poly1305 with a key derived from the user’s password by Argon2id.
The ChaCha part is the symmetric encryption, while the Poly1305 is for the MAC.
This proposal is, for performance reasons, to replace ChaCha20 with ChaCha12 (which is believed to still provide an adequate amount of security) and to replace the Poly1305 MAC with BLAKE3. The performance gains aren’t particularly relevant for applications like KeepassXC which only needs to encrypt a small amount of data at a time, but as you can see from their benchmarks they’re substantial for applications like TLS where a lot of data needs to be encrypted.
Part of the reason they don’t mention Argon2 here is because in the sort of setting they’re designing for, you don’t typically derive keys from lower-entropy strings like passphrases. But, if you did want to key ChaCha12-BLAKE3 using a passphrase, it would still be a good idea to derive the key using Argon2id!