Feature Wiki

Information about planned and released features

Tabs

Password Storage: Support Argon2 Hashes

Page Overview

[Hide]

1 Initial Problem

Currently ILIAS supports the following password hash functions:

  1. bcrypt (with native PHP, see: https://www.php.net/manual/en/function.password-hash.php / default password hash function in ILIAS)
  2. bcrypt (ILIAS specific implementation of the blowfish algorithm according to https://docu.ilias.de/goto_docu_wiki_wpage_2069_1357.html, added because the native PHP implementation did not exist at this time / only used if accounts could not be migrated during a new/successful login)
  3. md5 (only used if accounts could not be migrated during a new/successful login)

2 Conceptual Summary

With PHP 7.2/7.3 new Argon2 hash algorithms have been introduced:

  1. Argon2i: Requires PHP 7.2
  2. Argon2id: Requires PHP 7.3

Therefore we suggest to implement a new Argon2id strategy for the password service.

3 User Interface Modifications

3.1 List of Affected Views

None

3.2 User Interface Details

None

3.3 New User Interface Concepts

None

3.4 Accessibility Implications

None

4 Technical Information

  1. The size of the `passw` field in table `usr_data` MUST be increased. A PR for the user component will be provided.
  2. A hint SHOULD be added to our installation documentation, because PHP MUST be compiled with Argon2 support.

There is an existing pull/merge request for a Argon2i implementation: https://github.com/ILIAS-eLearning/ILIAS/pull/2275/files

5 Privacy Information

None

6 Security Implications

There are only positive implications, because password hashing will be state of the art.

7 Contact

8 Funding

If you are interest in funding this feature, please add your name and institution to this list.

9 Discussion

JourFixe, ILIAS [jourfixe], 11 MAY 2020 : We highly appreciate this suggestion and schedule the feature for ILIAS 7.

JourFixe, ILIAS [jourfixe], 03 APR 2023: We highly appreciate this suggestion and re-schedule the feature for ILIAS 9.

10 Implementation

Implemented as described above.

Test Cases

Test cases completed at 2023-04-17 by Jansen, Michael [mjansen]

  • https://github.com/ILIAS-eLearning/ILIAS/blob/trunk/Services/Password/test/encoders/ilArgon2IdPasswordEncoderTest.php
  • https://github.com/ILIAS-eLearning/ILIAS/blob/trunk/Services/User/test/ilObjUserPasswordTest.php

Approval

Approved at 17 APR 2023 by Samoila, Oliver [oliver.samoila].

Last edited: 17. Apr 2023, 12:04, Samoila, Oliver [oliver.samoila]