Home

Awesome

Argon2 Binding for the JVM Build & test

This is a JVM binding for Argon2.

"Being a binding" means that it uses JNA to call a native C library. The advantage of this approach is that this uses the original implementation of the Argon2 authors and possibly a performance advantage. The drawback is that the native library must either be available on your system or must be included in argon2-jvm.

If you are using an OS or an architecture which is not that common (e.g. argon2-jvm has no support for BSD), this library will not work for you, if your system has no native installation of the Argon2 library.

Spring Security Crypto has a Argon2PasswordEncoder which doesn't have any dependencies on native C libraries, as it uses Bouncy Castle which implements the Argon2 algorithm in pure Java. And don't let the name "Spring Security Crypto" scare you, it has no dependency on Spring or Spring Security. If you don't need (for whatever reason) the native Argon2 library, I would suggest that you look at the Argon2PasswordEncoder from Spring Security Crypto.

I have prepared a small showcase project which demonstrates the use of Argon2 with Spring Security Crypto.

Maven

Without pre-compiled Argon2 libraries (recommended, install argon2 via your package manager):

<dependency>
    <groupId>de.mkammerer</groupId>
    <artifactId>argon2-jvm-nolibs</artifactId>
    <version>2.11</version>
</dependency>

With pre-compiled Argon2 libraries:

<dependency>
    <groupId>de.mkammerer</groupId>
    <artifactId>argon2-jvm</artifactId>
    <version>2.11</version>
</dependency>

Gradle

Without pre-compiled Argon2 libraries (recommended, install argon2 via your package manager):

implementation 'de.mkammerer:argon2-jvm-nolibs:2.11'

With pre-compiled Argon2 libraries:

implementation 'de.mkammerer:argon2-jvm:2.11'

Usage

This binding needs a compiled Argon2 library. It is recommended to install argon2 via your package manager. If you can't do that, use argon2-jvm with the included argon2 binary libraries or compile argon2 yourself. The following operating systems and architectures are supported in argon2-jvm:

See tested distributions for details on which distributions this has been tested.

import de.mkammerer.argon2.Argon2;
import de.mkammerer.argon2.Argon2Factory;

// Create instance
Argon2 argon2 = Argon2Factory.create();

// Read password from user
char[] password = readPasswordFromUser();

try {
    // Hash password
    String hash = argon2.hash(10, 65536, 1, password);

    // Verify password
    if (argon2.verify(hash, password)) {
        // Hash matches password
    } else {
        // Hash doesn't match password
    }
} finally {
    // Wipe confidential data
    argon2.wipeArray(password);
}

Recommended parameters

The recommended parameters for the hash call above can be found in the whitepaper, section 9.

You can use the method Argon2Helper.findIterations to find the optimal number of iterations on your system:

Argon2 argon2 = Argon2Factory.create();
// 1000 = The hash call must take at most 1000 ms
// 65536 = Memory cost
// 1 = parallelism
int iterations = Argon2Helper.findIterations(argon2, 1000, 65536, 1);

System.out.println("Optimal number of iterations: " + iterations);

Compile Argon2 yourself

If you prefer to install/compile argon2 on your own you should argon2-jvm-nolibs instead of argon2-jvm and compile argon2 yourself. It's not that hard :)

If you need help to build argon2, have a look at this documentation.

Technical details

This library uses JNA to communicate with the Argon2 C library.

Building it yourself

Run ./gradlew clean build to build and test the software.

License

Licensed under LGPL v3.

Maintainer

Moritz Kammerer (@phXql)

Contributing

See contributing guidelines.

Contributors

See contributors page.