Skip to content

[FEATURE]: Add Argon2 to Cryptography Registry #756

New issue
New issue
Open
Open
[FEATURE]: Add Argon2 to Cryptography Registry#756
Labels
cap: cryptographyCapability: Cryptography (CBOM)proposed core enhancement
@beatquantum

Description

@beatquantum
beatquantum
opened on Dec 31, 2025

Problem Statement

Argon2 (RFC 9106 standard, winner of 2015 Password Hashing Competition)
is not currently in the CycloneDX Cryptography Registry despite widespread
adoption and OWASP recommendation.

Proposed Pattern

Argon2(id|i|d)[-{memoryMiB}][-{iterations}][-{parallelism}]

Valid examples:

  • Argon2id (variant only)
  • Argon2id-15-1-4 (RFC 9106 interactive defaults)
  • Argon2id-64-2-1 (medium security)
  • Argon2id-256-4-2 (high security)

Illustration of Compatibility (json)

{
"type": "cryptographic-asset",
"name": "Argon2id-64-2-1",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "password-hashing",
"algorithmFamily": "Argon2",
"parameterSetIdentifier": "id-64-2-1"
}
}
}

Justification

  1. Parametric algorithms are already in registry
  2. Parameter variation critically impacts security
  3. Enables policy enforcement and CBOM risk assessment
  4. RFC 9106 is authoritative standard

Standards Reference

RFC 9106: Argon2 Memory-Hard Function for Password Hashing

Metadata

Metadata

Assignees

No one assigned

    Labels

    cap: cryptographyCapability: Cryptography (CBOM)proposed core enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions