The scrypt Password-Based Key Derivation Function
draft-josefsson-scrypt-kdf-03

 
Document Type Active Internet-Draft (individual)
Last updated 2015-05-12
Stream (None)
Intended RFC status (None)
Formats plain text pdf html
Stream Stream state (No stream defined)
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)

Email authors IPR References Referenced by Nits Search lists

Network Working Group                                        C. Percival
Internet-Draft                                                   Tarsnap
Intended status: Informational                              S. Josefsson
Expires: November 14, 2015                                        SJD AB
                                                            May 13, 2015

           The scrypt Password-Based Key Derivation Function
                     draft-josefsson-scrypt-kdf-03

Abstract

   This document specifies the password-based key derivation function
   scrypt.  The function derives one or more secret keys from a secret
   string.  It is based on memory-hard functions which offer added
   protection against attacks using custom hardware.  The document also
   provides an ASN.1 schema.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 14, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Percival & Josefsson    Expires November 14, 2015               [Page 1]
Internet-Draft                   scrypt                         May 2015

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  The Salsa20/8 Core Function . . . . . . . . . . . . . . . . .   3
   3.  The scryptBlockMix Algorithm  . . . . . . . . . . . . . . . .   3
   4.  The scryptROMix Algorithm . . . . . . . . . . . . . . . . . .   4
   5.  The scrypt Algorithm  . . . . . . . . . . . . . . . . . . . .   5
   6.  ASN.1 Syntax  . . . . . . . . . . . . . . . . . . . . . . . .   6
     6.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   7
   7.  Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . .   8
   8.  Test Vectors for scryptBlockMix . . . . . . . . . . . . . . .   8
   9.  Test Vectors for scryptROMix  . . . . . . . . . . . . . . . .   9
   10. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . .  10
   11. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . .  10
   12. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . .  11
   13. Copying Conditions  . . . . . . . . . . . . . . . . . . . . .  12
   14. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  12
   15. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
   16. Security Considerations . . . . . . . . . . . . . . . . . . .  12
   17. References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     17.1.  Normative References . . . . . . . . . . . . . . . . . .  13
     17.2.  Informative References . . . . . . . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Introduction

   Password-based key derivation functions are used in cryptography for
   deriving one or more secret keys from a secret value.  Over the
   years, several password-based key derivation functions have been
   used, including the original DES-based UNIX Crypt-function, FreeBSD
   MD5 crypt, PKCS#5 PBKDF2 [RFC2898] (typically used with SHA-1), GNU
   SHA-256/512 crypt, Windows NT LAN Manager (NTLM) hash, and the
   Blowfish-based bcrypt.  These algorithms are based on similar
   techniques that employ a cryptographic primitive, salting and/or
   iteration.  The iteration count is used to slow down the computation.

   Providing that the number of iterations used is increased as computer
   systems get faster, this allows legitimate users to spend a constant
   amount of time on key derivation without losing ground to an
   attackers' ever-increasing computing power - as long as attackers are
Show full document text