We are currently offering to store local users passwords (in /etc/master.passwd) using various encodings, including MD5, SHA1 and blowfish. None of this is state of the art from a modern cryptography point of view.

The goal of this project is to extend the existing mechanism (see passwd.conf(5)) by a modern algorithm, the winner of the password hashing competition, Argon2.

This means integrating the Argon2 reference implementation into the NetbSD source tree and library build, in a general form allowing its use for other purposes as well (as a hmac-style keyed hash function). Of course it has to build on all architectures. An optional step to be done later in the project is to use native crypto instructions on various architectures to enhance performance.

After making this function available, the main step is to enhance the passwd configuration functions, pwhash(1), passwd(1), passwd(5) and everything around that where necessary to allow storing local users passwords in the new format.

Add a comment