datatracker.ietf.org
Sign in
Version 5.12.0.p1, 2015-03-01
Report a bug

The scrypt Password-Based Key Derivation Function
draft-josefsson-scrypt-kdf-02

Document type: Active Internet-Draft (individual)
Document stream: No stream defined
Last updated: 2015-01-26
Intended RFC status: Unknown
Other versions: plain text, xml, pdf, html

Stream State:No stream defined
Document shepherd: No shepherd assigned

IESG State: I-D Exists
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                        C. Percival
Internet-Draft                                                   Tarsnap
Intended status: Informational                              S. Josefsson
Expires: July 30, 2015                                            SJD AB
                                                        January 26, 2015

           The scrypt Password-Based Key Derivation Function
                     draft-josefsson-scrypt-kdf-02

Abstract

   This document specifies the password-based key derivation function
   scrypt.  The function derives one or more secret keys from a secret
   string.  It is based on memory-hard functions which offer added
   protection against attacks using custom hardware.  The document also
   provides an ASN.1 schema.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 30, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Percival & Josefsson      Expires July 30, 2015                 [Page 1]
Internet-Draft                   scrypt                     January 2015

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  The Salsa20/8 Core Function . . . . . . . . . . . . . . . . .   3
   3.  The scryptBlockMix Algorithm  . . . . . . . . . . . . . . . .   3
   4.  The scryptROMix Algorithm . . . . . . . . . . . . . . . . . .   4
   5.  The scrypt Algorithm  . . . . . . . . . . . . . . . . . . . .   5
   6.  ASN.1 Syntax  . . . . . . . . . . . . . . . . . . . . . . . .   6
     6.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   7
   7.  Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . .   8
   8.  Test Vectors for scryptBlockMix . . . . . . . . . . . . . . .   8
   9.  Test Vectors for scryptROMix  . . . . . . . . . . . . . . . .   9
   10. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . .   9
   11. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . .  10
   12. Copying Conditions  . . . . . . . . . . . . . . . . . . . . .  11
   13. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  11
   14. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   15. Security Considerations . . . . . . . . . . . . . . . . . . .  11
   16. References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     16.1.  Normative References . . . . . . . . . . . . . . . . . .  12
     16.2.  Informative References . . . . . . . . . . . . . . . . .  12
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   Password-based key derivation functions are used in cryptography for
   deriving one or more secret keys from a secret value.  Over the
   years, several password-based key derivation functions have been
   used, including the original DES-based UNIX Crypt-function, FreeBSD
   MD5 crypt, PKCS#5 PBKDF2 [RFC2898] (typically used with SHA-1), GNU
   SHA-256/512 crypt, Windows NT LAN Manager (NTLM) hash, and the
   Blowfish-based bcrypt.  These algorithms are based on similar
   techniques that employ a cryptographic primitive, salting and/or
   iteration.  The iteration count is used to slow down the computation.

   Providing that the number of iterations used is increased as computer
   systems get faster, this allows legitimate users to spend a constant
   amount of time on key derivation without losing ground to an
   attackers' ever-increasing computing power - as long as attackers are
   limited to the same software implementations as legitimate users.

[include full document text]