The scrypt Password-Based Key Derivation Function
draft-josefsson-scrypt-kdf-04

Document Type Active Internet-Draft (individual)
Last updated 2015-12-14 (latest revision 2015-11-20)
Stream IETF
Intended RFC status Informational
Formats plain text xml pdf html bibtex
Stream WG state (None)
Document shepherd Rich Salz
Shepherd write-up Show (last changed 2015-07-04)
IESG IESG state IESG Evaluation::AD Followup
Consensus Yes
Telechat date
Has enough positions to pass.
Responsible AD Stephen Farrell
Send notices to (None)
IANA IANA review state IANA OK - No Actions Needed
IANA action state None
Network Working Group                                        C. Percival
Internet-Draft                                                   Tarsnap
Intended status: Informational                              S. Josefsson
Expires: May 23, 2016                                             SJD AB
                                                       November 20, 2015

           The scrypt Password-Based Key Derivation Function
                     draft-josefsson-scrypt-kdf-04

Abstract

   This document specifies the password-based key derivation function
   scrypt.  The function derives one or more secret keys from a secret
   string.  It is based on memory-hard functions which offer added
   protection against attacks using custom hardware.  The document also
   provides an ASN.1 schema.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 23, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Percival & Josefsson      Expires May 23, 2016                  [Page 1]
Internet-Draft                   scrypt                    November 2015

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Scrypt Parameters . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The Salsa20/8 Core Function . . . . . . . . . . . . . . . . .   4
   4.  The scryptBlockMix Algorithm  . . . . . . . . . . . . . . . .   4
   5.  The scryptROMix Algorithm . . . . . . . . . . . . . . . . . .   5
   6.  The scrypt Algorithm  . . . . . . . . . . . . . . . . . . . .   6
   7.  ASN.1 Syntax  . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   8
   8.  Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . .   9
   9.  Test Vectors for scryptBlockMix . . . . . . . . . . . . . . .   9
   10. Test Vectors for scryptROMix  . . . . . . . . . . . . . . . .  10
   11. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . .  11
   12. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . .  11
   13. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . .  12
   14. Copying Conditions  . . . . . . . . . . . . . . . . . . . . .  13
   15. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  13
   16. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   17. Security Considerations . . . . . . . . . . . . . . . . . . .  13
   18. References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     18.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     18.2.  Informative References . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   Password-based key derivation functions are used in cryptography and
   security protocols for deriving one or more secret keys from a secret
   value.  Over the years, several password-based key derivation
   functions have been used, including the original DES-based UNIX
   Crypt-function, FreeBSD MD5 crypt, PKCS#5 PBKDF2 [RFC2898] (typically
   used with SHA-1), GNU SHA-256/512 crypt [SHA2CRYPT], Windows NT LAN
   Manager (NTLM) [NTLM] hash, and the Blowfish-based bcrypt [BCRYPT].
   These algorithms are all based on a cryptographic primitive combined
   with salting and/or iteration.  The iteration count is used to slow
   down the computation, and the salt is used to make pre-computation
   costlier.

   All password-based key derivation functions mentioned above share the
   same weakness against powerful attackers.  Providing that the number
Show full document text