[PS-2365] Kdf Configuration Options for Argon2 (#4578)

* Implement argon2 config

* Remove argon2 webassembly warning

* Replace magic numbers by enum

* Implement kdf configuration

* Update UI according to design feedback

* Further updates to follow design feedback

* Add oxford comma in argon2 description

* Fix typos in argon2 descriptions

* move key creation into promise with API call

* change casing on PBKDF2

* general improvements

* kdf config on set pin component

* SHA-256 hash argon2 salt

* Change argon2 defaults

* Change argon2 salt hash to cryptoFunctionService

* Fix isLowKdfIteration check

---------

Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>

apps/cli/src/commands/login.command.ts

@@ -410,7 +410,7 @@ export class LoginCommand {
       this.policyService.masterPasswordPolicyOptions$()
     );
     const kdf = await this.stateService.getKdfType();
-    const kdfIterations = await this.stateService.getKdfIterations();
+    const kdfConfig = await this.stateService.getKdfConfig();
 
     if (
       enforcedPolicyOptions != null &&
@@ -431,7 +431,7 @@ export class LoginCommand {
         masterPassword,
         this.email.trim().toLowerCase(),
         kdf,
-        kdfIterations
+        kdfConfig
       );
       const newPasswordHash = await this.cryptoService.hashPassword(masterPassword, newKey);
 

apps/cli/src/commands/unlock.command.ts

@@ -44,8 +44,8 @@ export class UnlockCommand {
     await this.setNewSessionKey();
     const email = await this.stateService.getEmail();
     const kdf = await this.stateService.getKdfType();
-    const kdfIterations = await this.stateService.getKdfIterations();
+    const kdfConfig = await this.stateService.getKdfConfig();
-    const key = await this.cryptoService.makeKey(password, email, kdf, kdfIterations);
+    const key = await this.cryptoService.makeKey(password, email, kdf, kdfConfig);
     const storedKeyHash = await this.cryptoService.getKeyHash();
 
     let passwordValid = false;

apps/web/src/app/organizations/members/components/reset-password.component.ts

@@ -20,6 +20,7 @@ import { PasswordGenerationService } from "@bitwarden/common/abstractions/passwo
 import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
 import { PolicyService } from "@bitwarden/common/abstractions/policy/policy.service.abstraction";
 import { EncString } from "@bitwarden/common/models/domain/enc-string";
+import { KdfConfig } from "@bitwarden/common/models/domain/kdf-config";
 import { MasterPasswordPolicyOptions } from "@bitwarden/common/models/domain/master-password-policy-options";
 import { SymmetricCryptoKey } from "@bitwarden/common/models/domain/symmetric-crypto-key";
 
@@ -156,6 +157,8 @@ export class ResetPasswordComponent implements OnInit, OnDestroy {
 
           const kdfType = response.kdf;
           const kdfIterations = response.kdfIterations;
+          const kdfMemory = response.kdfMemory;
+          const kdfParallelism = response.kdfParallelism;
           const resetPasswordKey = response.resetPasswordKey;
           const encryptedPrivateKey = response.encryptedPrivateKey;
 
@@ -175,7 +178,7 @@ export class ResetPasswordComponent implements OnInit, OnDestroy {
             this.newPassword,
             this.email.trim().toLowerCase(),
             kdfType,
-            kdfIterations
+            new KdfConfig(kdfIterations, kdfMemory, kdfParallelism)
           );
           const newPasswordHash = await this.cryptoService.hashPassword(this.newPassword, newKey);
 

apps/web/src/app/settings/change-email.component.ts

@@ -66,12 +66,12 @@ export class ChangeEmailComponent implements OnInit {
       request.newEmail = this.newEmail;
       request.masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, null);
       const kdf = await this.stateService.getKdfType();
-      const kdfIterations = await this.stateService.getKdfIterations();
+      const kdfConfig = await this.stateService.getKdfConfig();
       const newKey = await this.cryptoService.makeKey(
         this.masterPassword,
         this.newEmail,
         kdf,
-        kdfIterations
+        kdfConfig
       );
       request.newMasterPasswordHash = await this.cryptoService.hashPassword(
         this.masterPassword,

apps/web/src/app/settings/change-kdf.component.html

@@ -32,43 +32,94 @@
         >
           <i class="bwi bwi-question-circle" aria-hidden="true"></i>
         </a>
-        <select id="kdf" name="Kdf" [(ngModel)]="kdf" class="form-control" required>
+        <select
+          id="kdf"
+          name="Kdf"
+          [(ngModel)]="kdf"
+          (ngModelChange)="onChangeKdf($event)"
+          class="form-control mb-3"
+          required
+        >
           <option *ngFor="let o of kdfOptions" [ngValue]="o.value">{{ o.name }}</option>
         </select>
+        <ng-container *ngIf="kdf == kdfType.Argon2id">
+          <label for="kdfMemory">{{ "kdfMemory" | i18n }}</label>
+          <input
+            id="kdfMemory"
+            type="number"
+            min="16"
+            max="1024"
+            name="Memory"
+            class="form-control mb-3"
+            [(ngModel)]="kdfConfig.memory"
+            required
+          />
+        </ng-container>
       </div>
     </div>
     <div class="col-6">
       <div class="form-group mb-0">
-        <label for="kdfIterations">{{ "kdfIterations" | i18n }}</label>
+        <ng-container *ngIf="kdf == kdfType.PBKDF2_SHA256">
-        <a
+          <label for="kdfIterations">{{ "kdfIterations" | i18n }}</label>
-          class="ml-auto"
+          <a
-          href="https://bitwarden.com/help/what-encryption-is-used/#pbkdf2"
+            class="ml-auto"
-          target="_blank"
+            href="https://bitwarden.com/help/kdf-algorithms"
-          rel="noopener"
+            target="_blank"
-          appA11yTitle="{{ 'learnMore' | i18n }}"
+            rel="noopener"
-        >
+            appA11yTitle="{{ 'learnMore' | i18n }}"
-          <i class="bwi bwi-question-circle" aria-hidden="true"></i>
+          >
-        </a>
+            <i class="bwi bwi-question-circle" aria-hidden="true"></i>
-        <input
+          </a>
-          id="kdfIterations"
+          <input
-          type="number"
+            id="kdfIterations"
-          min="5000"
+            type="number"
-          max="2000000"
+            min="5000"
-          name="KdfIterations"
+            max="2000000"
-          class="form-control"
+            name="KdfIterations"
-          [(ngModel)]="kdfIterations"
+            class="form-control"
-          required
+            [(ngModel)]="kdfConfig.iterations"
-        />
+            required
+          />
+        </ng-container>
+        <ng-container *ngIf="kdf == kdfType.Argon2id">
+          <label for="kdfIterations">{{ "kdfIterations" | i18n }}</label>
+          <input
+            id="iterations"
+            type="number"
+            min="1"
+            max="1024"
+            name="Iterations"
+            class="form-control mb-3"
+            [(ngModel)]="kdfConfig.iterations"
+            required
+          />
+          <label for="kdfParallelism">{{ "kdfParallelism" | i18n }}</label>
+          <input
+            id="kdfParallelism"
+            type="number"
+            min="1"
+            max="16"
+            name="Parallelism"
+            class="form-control"
+            [(ngModel)]="kdfConfig.parallelism"
+            required
+          />
+        </ng-container>
       </div>
     </div>
     <div class="col-12">
-      <div class="form-group">
+      <ng-container *ngIf="kdf == kdfType.PBKDF2_SHA256">
-        <div class="small form-text text-muted">
+        <p class="small form-text text-muted">
-          <p>{{ "kdfIterationsDesc" | i18n: (recommendedKdfIterations | number) }}</p>
+          {{ "kdfIterationsDesc" | i18n: (recommendedPbkdf2Iterations | number) }}
-          <strong>{{ "warning" | i18n }}</strong
+        </p>
-          >: {{ "kdfIterationsWarning" | i18n: (50000 | number) }}
+        <bit-callout type="warning">
-        </div>
+          {{ "kdfIterationsWarning" | i18n: (100000 | number) }}
-      </div>
+        </bit-callout>
+      </ng-container>
+      <ng-container *ngIf="kdf == kdfType.Argon2id">
+        <p class="small form-text text-muted">{{ "argon2Desc" | i18n }}</p>
+        <bit-callout type="warning"> {{ "argon2Warning" | i18n }}</bit-callout>
+      </ng-container>
     </div>
   </div>
   <button type="submit" buttonType="primary" bitButton [loading]="form.loading">

apps/web/src/app/settings/change-kdf.component.ts

@@ -7,7 +7,15 @@ import { LogService } from "@bitwarden/common/abstractions/log.service";
 import { MessagingService } from "@bitwarden/common/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
 import { StateService } from "@bitwarden/common/abstractions/state.service";
-import { DEFAULT_PBKDF2_ITERATIONS, KdfType } from "@bitwarden/common/enums/kdfType";
+import {
+  DEFAULT_KDF_CONFIG,
+  DEFAULT_PBKDF2_ITERATIONS,
+  DEFAULT_ARGON2_ITERATIONS,
+  DEFAULT_ARGON2_MEMORY,
+  DEFAULT_ARGON2_PARALLELISM,
+  KdfType,
+} from "@bitwarden/common/enums/kdfType";
+import { KdfConfig } from "@bitwarden/common/models/domain/kdf-config";
 import { KdfRequest } from "@bitwarden/common/models/request/kdf.request";
 
 @Component({
@@ -16,11 +24,12 @@ import { KdfRequest } from "@bitwarden/common/models/request/kdf.request";
 })
 export class ChangeKdfComponent implements OnInit {
   masterPassword: string;
-  kdfIterations: number;
   kdf = KdfType.PBKDF2_SHA256;
+  kdfConfig: KdfConfig = DEFAULT_KDF_CONFIG;
+  kdfType = KdfType;
   kdfOptions: any[] = [];
   formPromise: Promise<any>;
-  recommendedKdfIterations = DEFAULT_PBKDF2_ITERATIONS;
+  recommendedPbkdf2Iterations = DEFAULT_PBKDF2_ITERATIONS;
 
   constructor(
     private apiService: ApiService,
@@ -31,12 +40,15 @@ export class ChangeKdfComponent implements OnInit {
     private logService: LogService,
     private stateService: StateService
   ) {
-    this.kdfOptions = [{ name: "PBKDF2 SHA-256", value: KdfType.PBKDF2_SHA256 }];
+    this.kdfOptions = [
+      { name: "PBKDF2 SHA-256", value: KdfType.PBKDF2_SHA256 },
+      { name: "Argon2id", value: KdfType.Argon2id },
+    ];
   }
 
   async ngOnInit() {
     this.kdf = await this.stateService.getKdfType();
-    this.kdfIterations = await this.stateService.getKdfIterations();
+    this.kdfConfig = await this.stateService.getKdfConfig();
   }
 
   async submit() {
@@ -46,25 +58,8 @@ export class ChangeKdfComponent implements OnInit {
       return;
     }
 
-    const request = new KdfRequest();
-    request.kdf = this.kdf;
-    request.kdfIterations = this.kdfIterations;
-    request.masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, null);
-    const email = await this.stateService.getEmail();
-    const newKey = await this.cryptoService.makeKey(
-      this.masterPassword,
-      email,
-      this.kdf,
-      this.kdfIterations
-    );
-    request.newMasterPasswordHash = await this.cryptoService.hashPassword(
-      this.masterPassword,
-      newKey
-    );
-    const newEncKey = await this.cryptoService.remakeEncKey(newKey);
-    request.key = newEncKey[1].encryptedString;
     try {
-      this.formPromise = this.apiService.postAccountKdf(request);
+      this.formPromise = this.makeKeyAndSaveAsync();
       await this.formPromise;
       this.platformUtilsService.showToast(
         "success",
@@ -76,4 +71,42 @@ export class ChangeKdfComponent implements OnInit {
       this.logService.error(e);
     }
   }
+
+  async onChangeKdf(newValue: KdfType) {
+    if (newValue === KdfType.PBKDF2_SHA256) {
+      this.kdfConfig = new KdfConfig(DEFAULT_PBKDF2_ITERATIONS);
+    } else if (newValue === KdfType.Argon2id) {
+      this.kdfConfig = new KdfConfig(
+        DEFAULT_ARGON2_ITERATIONS,
+        DEFAULT_ARGON2_MEMORY,
+        DEFAULT_ARGON2_PARALLELISM
+      );
+    } else {
+      throw new Error("Unknown KDF type.");
+    }
+  }
+
+  private async makeKeyAndSaveAsync() {
+    const request = new KdfRequest();
+    request.kdf = this.kdf;
+    request.kdfIterations = this.kdfConfig.iterations;
+    request.kdfMemory = this.kdfConfig.memory;
+    request.kdfParallelism = this.kdfConfig.parallelism;
+    request.masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, null);
+    const email = await this.stateService.getEmail();
+    const newKey = await this.cryptoService.makeKey(
+      this.masterPassword,
+      email,
+      this.kdf,
+      this.kdfConfig
+    );
+    request.newMasterPasswordHash = await this.cryptoService.hashPassword(
+      this.masterPassword,
+      newKey
+    );
+    const newEncKey = await this.cryptoService.remakeEncKey(newKey);
+    request.key = newEncKey[1].encryptedString;
+
+    await this.apiService.postAccountKdf(request);
+  }
 }

apps/web/src/app/settings/emergency-access-takeover.component.ts

@@ -13,6 +13,7 @@ import { PolicyService } from "@bitwarden/common/abstractions/policy/policy.serv
 import { StateService } from "@bitwarden/common/abstractions/state.service";
 import { KdfType } from "@bitwarden/common/enums/kdfType";
 import { PolicyData } from "@bitwarden/common/models/data/policy.data";
+import { KdfConfig } from "@bitwarden/common/models/domain/kdf-config";
 import { Policy } from "@bitwarden/common/models/domain/policy";
 import { SymmetricCryptoKey } from "@bitwarden/common/models/domain/symmetric-crypto-key";
 import { EmergencyAccessPasswordRequest } from "@bitwarden/common/models/request/emergency-access-password.request";
@@ -102,7 +103,11 @@ export class EmergencyAccessTakeoverComponent
       this.masterPassword,
       this.email,
       takeoverResponse.kdf,
-      takeoverResponse.kdfIterations
+      new KdfConfig(
+        takeoverResponse.kdfIterations,
+        takeoverResponse.kdfMemory,
+        takeoverResponse.kdfParallelism
+      )
     );
     const masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, key);
 

apps/web/src/app/vault/vault.component.ts

@@ -23,7 +23,7 @@ import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUti
 import { StateService } from "@bitwarden/common/abstractions/state.service";
 import { SyncService } from "@bitwarden/common/abstractions/sync/sync.service.abstraction";
 import { TokenService } from "@bitwarden/common/abstractions/token.service";
-import { DEFAULT_PBKDF2_ITERATIONS } from "@bitwarden/common/enums/kdfType";
+import { KdfType, DEFAULT_PBKDF2_ITERATIONS } from "@bitwarden/common/enums/kdfType";
 import { ServiceUtils } from "@bitwarden/common/misc/serviceUtils";
 import { TreeNode } from "@bitwarden/common/models/domain/tree-node";
 import { CipherView } from "@bitwarden/common/models/view/cipher.view";
@@ -393,9 +393,9 @@ export class VaultComponent implements OnInit, OnDestroy {
   }
 
   async isLowKdfIteration() {
-    const kdfIterations = await this.stateService.getKdfIterations();
+    const kdfType = await this.stateService.getKdfType();
-
+    const kdfOptions = await this.stateService.getKdfConfig();
-    return kdfIterations < DEFAULT_PBKDF2_ITERATIONS;
+    return kdfType === KdfType.PBKDF2_SHA256 && kdfOptions.iterations < DEFAULT_PBKDF2_ITERATIONS;
   }
 
   get breadcrumbs(): TreeNode<CollectionFilter>[] {

apps/web/src/locales/en/messages.json

@@ -1150,7 +1150,7 @@
     }
   },
   "kdfIterationsWarning": {
-    "message": "Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on devices with slower CPUs. We recommend that you increase the value in increments of $INCREMENT$ and then test all of your devices.",
+    "message": "Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on slower or older devices. We recommend that you increase the value in increments of $INCREMENT$ and then test all of your devices.",
     "placeholders": {
       "increment": {
         "content": "$1",
@@ -1158,6 +1158,19 @@
       }
     }
   },
+  "kdfMemory": {
+    "message": "KDF memory (MB)",
+    "description": "Memory refers to computer memory (RAM). MB is short for megabytes."
+  },
+  "argon2Warning": {
+    "message": "Setting your KDF iterations, memory, and parallelism too high could result in poor performance when logging into (and unlocking) Bitwarden on slower or older devices. We recommend changing these individually in small increments and then test all of your devices."
+  },
+  "kdfParallelism": {
+    "message": "KDF parallelism"
+  },
+  "argon2Desc": {
+    "message": "Higher KDF iterations, memory, and parallelism can help protect your master password from being brute forced by an attacker."
+  },
   "changeKdf": {
     "message": "Change KDF"
   },

libs/angular/src/components/change-password.component.ts

@@ -10,6 +10,7 @@ import { PolicyService } from "@bitwarden/common/abstractions/policy/policy.serv
 import { StateService } from "@bitwarden/common/abstractions/state.service";
 import { KdfType } from "@bitwarden/common/enums/kdfType";
 import { EncString } from "@bitwarden/common/models/domain/enc-string";
+import { KdfConfig } from "@bitwarden/common/models/domain/kdf-config";
 import { MasterPasswordPolicyOptions } from "@bitwarden/common/models/domain/master-password-policy-options";
 import { SymmetricCryptoKey } from "@bitwarden/common/models/domain/symmetric-crypto-key";
 
@@ -27,7 +28,7 @@ export class ChangePasswordComponent implements OnInit, OnDestroy {
 
   protected email: string;
   protected kdf: KdfType;
-  protected kdfIterations: number;
+  protected kdfConfig: KdfConfig;
 
   protected destroy$ = new Subject<void>();
 
@@ -70,14 +71,14 @@ export class ChangePasswordComponent implements OnInit, OnDestroy {
     if (this.kdf == null) {
       this.kdf = await this.stateService.getKdfType();
     }
-    if (this.kdfIterations == null) {
+    if (this.kdfConfig == null) {
-      this.kdfIterations = await this.stateService.getKdfIterations();
+      this.kdfConfig = await this.stateService.getKdfConfig();
     }
     const key = await this.cryptoService.makeKey(
       this.masterPassword,
       email.trim().toLowerCase(),
       this.kdf,
-      this.kdfIterations
+      this.kdfConfig
     );
     const masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, key);
 

libs/angular/src/components/lock.component.ts

@@ -136,13 +136,13 @@ export class LockComponent implements OnInit, OnDestroy {
     let failed = true;
     try {
       const kdf = await this.stateService.getKdfType();
-      const kdfIterations = await this.stateService.getKdfIterations();
+      const kdfConfig = await this.stateService.getKdfConfig();
       if (this.pinSet[0]) {
         const key = await this.cryptoService.makeKeyFromPin(
           this.pin,
           this.email,
           kdf,
-          kdfIterations,
+          kdfConfig,
           await this.stateService.getDecryptedPinProtected()
         );
         const encKey = await this.cryptoService.getEncKey(key);
@@ -153,12 +153,7 @@ export class LockComponent implements OnInit, OnDestroy {
           await this.setKeyAndContinue(key);
         }
       } else {
-        const key = await this.cryptoService.makeKeyFromPin(
+        const key = await this.cryptoService.makeKeyFromPin(this.pin, this.email, kdf, kdfConfig);
-          this.pin,
-          this.email,
-          kdf,
-          kdfIterations
-        );
         failed = false;
         await this.setKeyAndContinue(key);
       }
@@ -194,14 +189,9 @@ export class LockComponent implements OnInit, OnDestroy {
 
   private async doUnlockWithMasterPassword() {
     const kdf = await this.stateService.getKdfType();
-    const kdfIterations = await this.stateService.getKdfIterations();
+    const kdfConfig = await this.stateService.getKdfConfig();
 
-    const key = await this.cryptoService.makeKey(
+    const key = await this.cryptoService.makeKey(this.masterPassword, this.email, kdf, kdfConfig);
-      this.masterPassword,
-      this.email,
-      kdf,
-      kdfIterations
-    );
     const storedKeyHash = await this.cryptoService.getKeyHash();
 
     let passwordValid = false;
@@ -244,7 +234,7 @@ export class LockComponent implements OnInit, OnDestroy {
       const protectedPin = await this.stateService.getProtectedPin();
       const encKey = await this.cryptoService.getEncKey(key);
       const decPin = await this.cryptoService.decryptToUtf8(new EncString(protectedPin), encKey);
-      const pinKey = await this.cryptoService.makePinKey(decPin, this.email, kdf, kdfIterations);
+      const pinKey = await this.cryptoService.makePinKey(decPin, this.email, kdf, kdfConfig);
       await this.stateService.setDecryptedPinProtected(
         await this.cryptoService.encrypt(key.key, pinKey)
       );

libs/angular/src/components/register.component.ts

@@ -16,7 +16,7 @@ import { LogService } from "@bitwarden/common/abstractions/log.service";
 import { PasswordGenerationService } from "@bitwarden/common/abstractions/passwordGeneration.service";
 import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
 import { StateService } from "@bitwarden/common/abstractions/state.service";
-import { DEFAULT_KDF_TYPE, DEFAULT_PBKDF2_ITERATIONS } from "@bitwarden/common/enums/kdfType";
+import { DEFAULT_KDF_CONFIG, DEFAULT_KDF_TYPE } from "@bitwarden/common/enums/kdfType";
 import { PasswordLogInCredentials } from "@bitwarden/common/models/domain/log-in-credentials";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { ReferenceEventRequest } from "@bitwarden/common/models/request/reference-event.request";
@@ -269,8 +269,8 @@ export class RegisterComponent extends CaptchaProtectedComponent implements OnIn
   ): Promise<RegisterRequest> {
     const hint = this.formGroup.value.hint;
     const kdf = DEFAULT_KDF_TYPE;
-    const kdfIterations = DEFAULT_PBKDF2_ITERATIONS;
+    const kdfConfig = DEFAULT_KDF_CONFIG;
-    const key = await this.cryptoService.makeKey(masterPassword, email, kdf, kdfIterations);
+    const key = await this.cryptoService.makeKey(masterPassword, email, kdf, kdfConfig);
     const encKey = await this.cryptoService.makeEncKey(key);
     const hashedPassword = await this.cryptoService.hashPassword(masterPassword, key);
     const keys = await this.cryptoService.makeKeyPair(encKey[0]);
@@ -280,10 +280,12 @@ export class RegisterComponent extends CaptchaProtectedComponent implements OnIn
       hashedPassword,
       hint,
       encKey[1].encryptedString,
-      kdf,
-      kdfIterations,
       this.referenceData,
-      this.captchaToken
+      this.captchaToken,
+      kdf,
+      kdfConfig.iterations,
+      kdfConfig.memory,
+      kdfConfig.parallelism
     );
     request.keys = new KeysRequest(keys[0], keys[1].encryptedString);
     const orgInvite = await this.stateService.getOrganizationInvitation();

libs/angular/src/components/set-password.component.ts

@@ -16,7 +16,7 @@ import { PolicyService } from "@bitwarden/common/abstractions/policy/policy.serv
 import { StateService } from "@bitwarden/common/abstractions/state.service";
 import { SyncService } from "@bitwarden/common/abstractions/sync/sync.service.abstraction";
 import { HashPurpose } from "@bitwarden/common/enums/hashPurpose";
-import { DEFAULT_KDF_TYPE, DEFAULT_PBKDF2_ITERATIONS } from "@bitwarden/common/enums/kdfType";
+import { DEFAULT_KDF_TYPE, DEFAULT_KDF_CONFIG } from "@bitwarden/common/enums/kdfType";
 import { Utils } from "@bitwarden/common/misc/utils";
 import { EncString } from "@bitwarden/common/models/domain/enc-string";
 import { SymmetricCryptoKey } from "@bitwarden/common/models/domain/symmetric-crypto-key";
@@ -93,7 +93,7 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
 
   async setupSubmitActions() {
     this.kdf = DEFAULT_KDF_TYPE;
-    this.kdfIterations = DEFAULT_PBKDF2_ITERATIONS;
+    this.kdfConfig = DEFAULT_KDF_CONFIG;
     return true;
   }
 
@@ -107,10 +107,12 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
       masterPasswordHash,
       encKey[1].encryptedString,
       this.hint,
-      this.kdf,
-      this.kdfIterations,
       this.identifier,
-      new KeysRequest(keys[0], keys[1].encryptedString)
+      new KeysRequest(keys[0], keys[1].encryptedString),
+      this.kdf,
+      this.kdfConfig.iterations,
+      this.kdfConfig.memory,
+      this.kdfConfig.parallelism
     );
     try {
       if (this.resetPasswordAutoEnroll) {
@@ -173,7 +175,7 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
     keys: [string, EncString]
   ) {
     await this.stateService.setKdfType(this.kdf);
-    await this.stateService.setKdfIterations(this.kdfIterations);
+    await this.stateService.setKdfConfig(this.kdfConfig);
     await this.cryptoService.setKey(key);
     await this.cryptoService.setEncKey(encKey[1].encryptedString);
     await this.cryptoService.setEncPrivateKey(keys[1].encryptedString);

libs/angular/src/components/set-pin.component.ts

@@ -36,9 +36,9 @@ export class SetPinComponent implements OnInit {
     }
 
     const kdf = await this.stateService.getKdfType();
-    const kdfIterations = await this.stateService.getKdfIterations();
+    const kdfConfig = await this.stateService.getKdfConfig();
     const email = await this.stateService.getEmail();
-    const pinKey = await this.cryptoService.makePinKey(this.pin, email, kdf, kdfIterations);
+    const pinKey = await this.cryptoService.makePinKey(this.pin, email, kdf, kdfConfig);
     const key = await this.cryptoService.getKey();
     const pinProtectedKey = await this.cryptoService.encrypt(key.key, pinKey);
     if (this.masterPassOnRestart) {

libs/angular/src/components/update-password.component.ts

@@ -86,7 +86,7 @@ export class UpdatePasswordComponent extends BaseChangePasswordComponent {
     }
 
     this.kdf = await this.stateService.getKdfType();
-    this.kdfIterations = await this.stateService.getKdfIterations();
+    this.kdfConfig = await this.stateService.getKdfConfig();
     return true;
   }
 

libs/angular/src/components/update-temp-password.component.ts

@@ -62,7 +62,7 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {
   async setupSubmitActions(): Promise<boolean> {
     this.email = await this.stateService.getEmail();
     this.kdf = await this.stateService.getKdfType();
-    this.kdfIterations = await this.stateService.getKdfIterations();
+    this.kdfConfig = await this.stateService.getKdfConfig();
     return true;
   }
 
@@ -82,7 +82,7 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {
         this.masterPassword,
         this.email.trim().toLowerCase(),
         this.kdf,
-        this.kdfIterations
+        this.kdfConfig
       );
       const newPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, newKey);
 

libs/common/src/abstractions/crypto.service.ts

@@ -3,6 +3,7 @@ import { KdfType } from "../enums/kdfType";
 import { KeySuffixOptions } from "../enums/keySuffixOptions";
 import { EncArrayBuffer } from "../models/domain/enc-array-buffer";
 import { EncString } from "../models/domain/enc-string";
+import { KdfConfig } from "../models/domain/kdf-config";
 import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
 import { ProfileOrganizationResponse } from "../models/response/profile-organization.response";
 import { ProfileProviderOrganizationResponse } from "../models/response/profile-provider-organization.response";
@@ -47,13 +48,13 @@ export abstract class CryptoService {
     password: string,
     salt: string,
     kdf: KdfType,
-    kdfIterations: number
+    kdfConfig: KdfConfig
   ) => Promise<SymmetricCryptoKey>;
   makeKeyFromPin: (
     pin: string,
     salt: string,
     kdf: KdfType,
-    kdfIterations: number,
+    kdfConfig: KdfConfig,
     protectedKeyCs?: EncString
   ) => Promise<SymmetricCryptoKey>;
   makeShareKey: () => Promise<[EncString, SymmetricCryptoKey]>;
@@ -62,7 +63,7 @@ export abstract class CryptoService {
     pin: string,
     salt: string,
     kdf: KdfType,
-    kdfIterations: number
+    kdfConfig: KdfConfig
   ) => Promise<SymmetricCryptoKey>;
   makeSendKey: (keyMaterial: ArrayBuffer) => Promise<SymmetricCryptoKey>;
   hashPassword: (

libs/common/src/abstractions/organization-user/responses/organization-user.response.ts

@@ -61,6 +61,8 @@ export class OrganizationUserDetailsResponse extends OrganizationUserResponse {
 export class OrganizationUserResetPasswordDetailsReponse extends BaseResponse {
   kdf: KdfType;
   kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
   resetPasswordKey: string;
   encryptedPrivateKey: string;
 
@@ -68,6 +70,8 @@ export class OrganizationUserResetPasswordDetailsReponse extends BaseResponse {
     super(response);
     this.kdf = this.getResponseProperty("Kdf");
     this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
     this.resetPasswordKey = this.getResponseProperty("ResetPasswordKey");
     this.encryptedPrivateKey = this.getResponseProperty("EncryptedPrivateKey");
   }

libs/common/src/abstractions/state.service.ts

@@ -18,6 +18,7 @@ import { Account, AccountSettingsSettings } from "../models/domain/account";
 import { EncString } from "../models/domain/enc-string";
 import { EnvironmentUrls } from "../models/domain/environment-urls";
 import { GeneratedPasswordHistory } from "../models/domain/generated-password-history";
+import { KdfConfig } from "../models/domain/kdf-config";
 import { Policy } from "../models/domain/policy";
 import { StorageOptions } from "../models/domain/storage-options";
 import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
@@ -252,8 +253,8 @@ export abstract class StateService<T extends Account = Account> {
   getInstalledVersion: (options?: StorageOptions) => Promise<string>;
   setInstalledVersion: (value: string, options?: StorageOptions) => Promise<void>;
   getIsAuthenticated: (options?: StorageOptions) => Promise<boolean>;
-  getKdfIterations: (options?: StorageOptions) => Promise<number>;
+  getKdfConfig: (options?: StorageOptions) => Promise<KdfConfig>;
-  setKdfIterations: (value: number, options?: StorageOptions) => Promise<void>;
+  setKdfConfig: (kdfConfig: KdfConfig, options?: StorageOptions) => Promise<void>;
   getKdfType: (options?: StorageOptions) => Promise<KdfType>;
   setKdfType: (value: KdfType, options?: StorageOptions) => Promise<void>;
   getKeyHash: (options?: StorageOptions) => Promise<string>;

libs/common/src/enums/kdfType.ts

@@ -1,12 +1,15 @@
+import { KdfConfig } from "../models/domain/kdf-config";
+
 export enum KdfType {
   PBKDF2_SHA256 = 0,
   Argon2id = 1,
 }
 
-export const DEFAULT_ARGON2_MEMORY = 19;
+export const DEFAULT_ARGON2_MEMORY = 64;
-export const DEFAULT_ARGON2_PARALLELISM = 1;
+export const DEFAULT_ARGON2_PARALLELISM = 4;
-export const DEFAULT_ARGON2_ITERATIONS = 2;
+export const DEFAULT_ARGON2_ITERATIONS = 3;
 
 export const DEFAULT_KDF_TYPE = KdfType.PBKDF2_SHA256;
 export const DEFAULT_PBKDF2_ITERATIONS = 600000;
+export const DEFAULT_KDF_CONFIG = new KdfConfig(DEFAULT_PBKDF2_ITERATIONS);
 export const SEND_KDF_ITERATIONS = 100000;

libs/common/src/importers/bitwarden-password-protected-importer.ts

@@ -3,6 +3,7 @@ import { I18nService } from "../abstractions/i18n.service";
 import { KdfType } from "../enums/kdfType";
 import { EncString } from "../models/domain/enc-string";
 import { ImportResult } from "../models/domain/import-result";
+import { KdfConfig } from "../models/domain/kdf-config";
 import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
 
 import { BitwardenJsonImporter } from "./bitwarden-json-importer";
@@ -49,7 +50,7 @@ export class BitwardenPasswordProtectedImporter extends BitwardenJsonImporter im
       this.password,
       jdoc.salt,
       KdfType.PBKDF2_SHA256,
-      jdoc.kdfIterations
+      new KdfConfig(jdoc.kdfIterations)
     );
 
     const encKeyValidation = new EncString(jdoc.encKeyValidation_DO_NOT_EDIT);

libs/common/src/misc/logInStrategies/logIn.strategy.ts

@@ -107,6 +107,8 @@ export abstract class LogInStrategy {
             email: accountInformation.email,
             hasPremiumPersonally: accountInformation.premium,
             kdfIterations: tokenResponse.kdfIterations,
+            kdfMemory: tokenResponse.kdfMemory,
+            kdfParallelism: tokenResponse.kdfParallelism,
             kdfType: tokenResponse.kdf,
           },
         },

libs/common/src/models/domain/account.ts

@@ -189,6 +189,8 @@ export class AccountProfile {
   usesKeyConnector?: boolean;
   keyHash?: string;
   kdfIterations?: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
   kdfType?: KdfType;
 
   static fromJSON(obj: Jsonify<AccountProfile>): AccountProfile {

libs/common/src/models/domain/kdf-config.ts

@@ -0,0 +1,11 @@
+export class KdfConfig {
+  iterations: number;
+  memory?: number;
+  parallelism?: number;
+
+  constructor(iterations: number, memory?: number, parallelism?: number) {
+    this.iterations = iterations;
+    this.memory = memory;
+    this.parallelism = parallelism;
+  }
+}

libs/common/src/models/request/kdf.request.ts

@@ -5,4 +5,6 @@ import { PasswordRequest } from "./password.request";
 export class KdfRequest extends PasswordRequest {
   kdf: KdfType;
   kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
 }

libs/common/src/models/request/register.request.ts

@@ -16,10 +16,12 @@ export class RegisterRequest implements CaptchaProtectedRequest {
     public masterPasswordHash: string,
     masterPasswordHint: string,
     public key: string,
+    public referenceData: ReferenceEventRequest,
+    public captchaResponse: string,
     public kdf: KdfType,
     public kdfIterations: number,
-    public referenceData: ReferenceEventRequest,
+    public kdfMemory?: number,
-    public captchaResponse: string
+    public kdfParallelism?: number
   ) {
     this.masterPasswordHint = masterPasswordHint ? masterPasswordHint : null;
   }

libs/common/src/models/request/set-password.request.ts

@@ -9,22 +9,28 @@ export class SetPasswordRequest {
   keys: KeysRequest;
   kdf: KdfType;
   kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
   orgIdentifier: string;
 
   constructor(
     masterPasswordHash: string,
     key: string,
     masterPasswordHint: string,
+    orgIdentifier: string,
+    keys: KeysRequest,
     kdf: KdfType,
     kdfIterations: number,
-    orgIdentifier: string,
+    kdfMemory?: number,
-    keys: KeysRequest
+    kdfParallelism?: number
   ) {
     this.masterPasswordHash = masterPasswordHash;
     this.key = key;
     this.masterPasswordHint = masterPasswordHint;
     this.kdf = kdf;
     this.kdfIterations = kdfIterations;
+    this.kdfMemory = kdfMemory;
+    this.kdfParallelism = kdfParallelism;
     this.orgIdentifier = orgIdentifier;
     this.keys = keys;
   }

libs/common/src/models/response/emergency-access.response.ts

@@ -59,6 +59,8 @@ export class EmergencyAccessTakeoverResponse extends BaseResponse {
   keyEncrypted: string;
   kdf: KdfType;
   kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
 
   constructor(response: any) {
     super(response);
@@ -66,6 +68,8 @@ export class EmergencyAccessTakeoverResponse extends BaseResponse {
     this.keyEncrypted = this.getResponseProperty("KeyEncrypted");
     this.kdf = this.getResponseProperty("Kdf");
     this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
   }
 }
 

libs/common/src/models/response/identity-token.response.ts

@@ -14,6 +14,8 @@ export class IdentityTokenResponse extends BaseResponse {
   twoFactorToken: string;
   kdf: KdfType;
   kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
   forcePasswordReset: boolean;
   apiUseKeyConnector: boolean;
   keyConnectorUrl: string;
@@ -31,6 +33,8 @@ export class IdentityTokenResponse extends BaseResponse {
     this.twoFactorToken = this.getResponseProperty("TwoFactorToken");
     this.kdf = this.getResponseProperty("Kdf");
     this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
     this.forcePasswordReset = this.getResponseProperty("ForcePasswordReset");
     this.apiUseKeyConnector = this.getResponseProperty("ApiUseKeyConnector");
     this.keyConnectorUrl = this.getResponseProperty("KeyConnectorUrl");

libs/common/src/models/response/prelogin.response.ts

@@ -5,10 +5,14 @@ import { BaseResponse } from "./base.response";
 export class PreloginResponse extends BaseResponse {
   kdf: KdfType;
   kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
 
   constructor(response: any) {
     super(response);
     this.kdf = this.getResponseProperty("Kdf");
     this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
   }
 }

libs/common/src/services/auth.service.ts

@@ -22,6 +22,7 @@ import { PasswordlessLogInStrategy } from "../misc/logInStrategies/passwordlessL
 import { SsoLogInStrategy } from "../misc/logInStrategies/ssoLogin.strategy";
 import { UserApiLogInStrategy } from "../misc/logInStrategies/user-api-login.strategy";
 import { AuthResult } from "../models/domain/auth-result";
+import { KdfConfig } from "../models/domain/kdf-config";
 import {
   UserApiLogInCredentials,
   PasswordLogInCredentials,
@@ -247,19 +248,23 @@ export class AuthService implements AuthServiceAbstraction {
   async makePreloginKey(masterPassword: string, email: string): Promise<SymmetricCryptoKey> {
     email = email.trim().toLowerCase();
     let kdf: KdfType = null;
-    let kdfIterations: number = null;
+    let kdfConfig: KdfConfig = null;
     try {
       const preloginResponse = await this.apiService.postPrelogin(new PreloginRequest(email));
       if (preloginResponse != null) {
         kdf = preloginResponse.kdf;
-        kdfIterations = preloginResponse.kdfIterations;
+        kdfConfig = new KdfConfig(
+          preloginResponse.kdfIterations,
+          preloginResponse.kdfMemory,
+          preloginResponse.kdfParallelism
+        );
       }
     } catch (e) {
       if (e == null || e.statusCode !== 404) {
         throw e;
       }
     }
-    return this.cryptoService.makeKey(masterPassword, email, kdf, kdfIterations);
+    return this.cryptoService.makeKey(masterPassword, email, kdf, kdfConfig);
   }
 
   async authResponsePushNotifiction(notification: AuthRequestPushNotification): Promise<any> {

libs/common/src/services/crypto.service.ts

@@ -8,7 +8,12 @@ import { PlatformUtilsService } from "../abstractions/platformUtils.service";
 import { StateService } from "../abstractions/state.service";
 import { EncryptionType } from "../enums/encryptionType";
 import { HashPurpose } from "../enums/hashPurpose";
-import { DEFAULT_ARGON2_ITERATIONS, KdfType } from "../enums/kdfType";
+import {
+  DEFAULT_ARGON2_ITERATIONS,
+  DEFAULT_ARGON2_MEMORY,
+  DEFAULT_ARGON2_PARALLELISM,
+  KdfType,
+} from "../enums/kdfType";
 import { KeySuffixOptions } from "../enums/keySuffixOptions";
 import { sequentialize } from "../misc/sequentialize";
 import { Utils } from "../misc/utils";
@@ -17,6 +22,7 @@ import { EncryptedOrganizationKeyData } from "../models/data/encrypted-organizat
 import { EncArrayBuffer } from "../models/domain/enc-array-buffer";
 import { EncString } from "../models/domain/enc-string";
 import { BaseEncryptedOrganizationKey } from "../models/domain/encrypted-organization-key";
+import { KdfConfig } from "../models/domain/kdf-config";
 import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
 import { ProfileOrganizationResponse } from "../models/response/profile-organization.response";
 import { ProfileProviderOrganizationResponse } from "../models/response/profile-provider-organization.response";
@@ -408,28 +414,44 @@ export class CryptoService implements CryptoServiceAbstraction {
     password: string,
     salt: string,
     kdf: KdfType,
-    kdfIterations: number
+    kdfConfig: KdfConfig
   ): Promise<SymmetricCryptoKey> {
     let key: ArrayBuffer = null;
     if (kdf == null || kdf === KdfType.PBKDF2_SHA256) {
-      if (kdfIterations == null) {
+      if (kdfConfig.iterations == null) {
-        kdfIterations = 5000;
+        kdfConfig.iterations = 5000;
-      } else if (kdfIterations < 5000) {
+      } else if (kdfConfig.iterations < 5000) {
         throw new Error("PBKDF2 iteration minimum is 5000.");
       }
-      key = await this.cryptoFunctionService.pbkdf2(password, salt, "sha256", kdfIterations);
+      key = await this.cryptoFunctionService.pbkdf2(password, salt, "sha256", kdfConfig.iterations);
     } else if (kdf == KdfType.Argon2id) {
-      if (kdfIterations == null) {
+      if (kdfConfig.iterations == null) {
-        kdfIterations = DEFAULT_ARGON2_ITERATIONS;
+        kdfConfig.iterations = DEFAULT_ARGON2_ITERATIONS;
-      } else if (kdfIterations < 2) {
+      } else if (kdfConfig.iterations < 2) {
         throw new Error("Argon2 iteration minimum is 2.");
       }
+
+      if (kdfConfig.memory == null) {
+        kdfConfig.memory = DEFAULT_ARGON2_MEMORY;
+      } else if (kdfConfig.memory < 16) {
+        throw new Error("Argon2 memory minimum is 16 MB");
+      } else if (kdfConfig.memory > 1024) {
+        throw new Error("Argon2 memory maximum is 1024 MB");
+      }
+
+      if (kdfConfig.parallelism == null) {
+        kdfConfig.parallelism = DEFAULT_ARGON2_PARALLELISM;
+      } else if (kdfConfig.parallelism < 1) {
+        throw new Error("Argon2 parallelism minimum is 1.");
+      }
+
+      const saltHash = await this.cryptoFunctionService.hash(salt, "sha256");
       key = await this.cryptoFunctionService.argon2(
         password,
-        salt,
+        saltHash,
-        kdfIterations,
+        kdfConfig.iterations,
-        16 * 1024, // convert to KiB from MiB
+        kdfConfig.memory * 1024, // convert to KiB from MiB
-        2
+        kdfConfig.parallelism
       );
     } else {
       throw new Error("Unknown Kdf.");
@@ -441,7 +463,7 @@ export class CryptoService implements CryptoServiceAbstraction {
     pin: string,
     salt: string,
     kdf: KdfType,
-    kdfIterations: number,
+    kdfConfig: KdfConfig,
     protectedKeyCs: EncString = null
   ): Promise<SymmetricCryptoKey> {
     if (protectedKeyCs == null) {
@@ -451,7 +473,7 @@ export class CryptoService implements CryptoServiceAbstraction {
       }
       protectedKeyCs = new EncString(pinProtectedKey);
     }
-    const pinKey = await this.makePinKey(pin, salt, kdf, kdfIterations);
+    const pinKey = await this.makePinKey(pin, salt, kdf, kdfConfig);
     const decKey = await this.decryptToBytes(protectedKeyCs, pinKey);
     return new SymmetricCryptoKey(decKey);
   }
@@ -474,9 +496,9 @@ export class CryptoService implements CryptoServiceAbstraction {
     pin: string,
     salt: string,
     kdf: KdfType,
-    kdfIterations: number
+    kdfConfig: KdfConfig
   ): Promise<SymmetricCryptoKey> {
-    const pinKey = await this.makeKey(pin, salt, kdf, kdfIterations);
+    const pinKey = await this.makeKey(pin, salt, kdf, kdfConfig);
     return await this.stretchKey(pinKey);
   }
 

libs/common/src/services/export.service.ts

@@ -17,6 +17,7 @@ import { CollectionData } from "../models/data/collection.data";
 import { Cipher } from "../models/domain/cipher";
 import { Collection } from "../models/domain/collection";
 import { Folder } from "../models/domain/folder";
+import { KdfConfig } from "../models/domain/kdf-config";
 import { CipherWithIdExport as CipherExport } from "../models/export/cipher-with-ids.export";
 import { CollectionWithIdExport as CollectionExport } from "../models/export/collection-with-id.export";
 import { EventExport } from "../models/export/event.export";
@@ -54,12 +55,12 @@ export class ExportService implements ExportServiceAbstraction {
       : await this.getExport("json");
 
     const salt = Utils.fromBufferToB64(await this.cryptoFunctionService.randomBytes(16));
-    const kdfIterations = DEFAULT_PBKDF2_ITERATIONS;
+    const kdfConfig = new KdfConfig(DEFAULT_PBKDF2_ITERATIONS);
     const key = await this.cryptoService.makePinKey(
       password,
       salt,
       KdfType.PBKDF2_SHA256,
-      kdfIterations
+      kdfConfig
     );
 
     const encKeyValidation = await this.cryptoService.encrypt(Utils.newGuid(), key);
@@ -69,7 +70,7 @@ export class ExportService implements ExportServiceAbstraction {
       encrypted: true,
       passwordProtected: true,
       salt: salt,
-      kdfIterations: kdfIterations,
+      kdfIterations: kdfConfig.iterations,
       kdfType: KdfType.PBKDF2_SHA256,
       encKeyValidation_DO_NOT_EDIT: encKeyValidation.encryptedString,
       data: encText.encryptedString,

libs/common/src/services/keyConnector.service.ts

@@ -8,6 +8,7 @@ import { StateService } from "../abstractions/state.service";
 import { TokenService } from "../abstractions/token.service";
 import { OrganizationUserType } from "../enums/organizationUserType";
 import { Utils } from "../misc/utils";
+import { KdfConfig } from "../models/domain/kdf-config";
 import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
 import { SetKeyConnectorKeyRequest } from "../models/request/account/set-key-connector-key.request";
 import { KeyConnectorUserKeyRequest } from "../models/request/key-connector-user-key.request";
@@ -82,14 +83,14 @@ export class KeyConnectorService implements KeyConnectorServiceAbstraction {
   }
 
   async convertNewSsoUserToKeyConnector(tokenResponse: IdentityTokenResponse, orgId: string) {
-    const { kdf, kdfIterations, keyConnectorUrl } = tokenResponse;
+    const { kdf, kdfIterations, kdfMemory, kdfParallelism, keyConnectorUrl } = tokenResponse;
     const password = await this.cryptoFunctionService.randomBytes(64);
 
     const k = await this.cryptoService.makeKey(
       Utils.fromBufferToB64(password),
       await this.tokenService.getEmail(),
       kdf,
-      kdfIterations
+      new KdfConfig(kdfIterations, kdfMemory, kdfParallelism)
     );
     const keyConnectorRequest = new KeyConnectorUserKeyRequest(k.encKeyB64);
     await this.cryptoService.setKey(k);

libs/common/src/services/state.service.ts

@@ -36,6 +36,7 @@ import { EncString } from "../models/domain/enc-string";
 import { EnvironmentUrls } from "../models/domain/environment-urls";
 import { GeneratedPasswordHistory } from "../models/domain/generated-password-history";
 import { GlobalState } from "../models/domain/global-state";
+import { KdfConfig } from "../models/domain/kdf-config";
 import { Policy } from "../models/domain/policy";
 import { State } from "../models/domain/state";
 import { StorageOptions } from "../models/domain/storage-options";
@@ -1657,17 +1658,26 @@ export class StateService<
     return (await this.getAccessToken(options)) != null && (await this.getUserId(options)) != null;
   }
 
-  async getKdfIterations(options?: StorageOptions): Promise<number> {
+  async getKdfConfig(options?: StorageOptions): Promise<KdfConfig> {
-    return (
+    const iterations = (
       await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
     )?.profile?.kdfIterations;
+    const memory = (
+      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
+    )?.profile?.kdfMemory;
+    const parallelism = (
+      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
+    )?.profile?.kdfParallelism;
+    return new KdfConfig(iterations, memory, parallelism);
   }
 
-  async setKdfIterations(value: number, options?: StorageOptions): Promise<void> {
+  async setKdfConfig(config: KdfConfig, options?: StorageOptions): Promise<void> {
     const account = await this.getAccount(
       this.reconcileOptions(options, await this.defaultOnDiskOptions())
     );
-    account.profile.kdfIterations = value;
+    account.profile.kdfIterations = config.iterations;
+    account.profile.kdfMemory = config.memory;
+    account.profile.kdfParallelism = config.parallelism;
     await this.saveAccount(
       account,
       this.reconcileOptions(options, await this.defaultOnDiskOptions())