The scrypt Password-Based Key Derivation Function
draft-josefsson-scrypt-kdf-05

Document Type Active Internet-Draft (individual)
Last updated 2016-05-20 (latest revision 2016-05-18)
Stream IETF
Intended RFC status Informational
Formats plain text xml pdf html bibtex
Stream WG state (None)
Document shepherd Rich Salz
Shepherd write-up Show (last changed 2015-07-04)
IESG IESG state RFC Ed Queue
Consensus Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IC
RFC Editor RFC Editor state EDIT
Network Working Group                                        C. Percival
Internet-Draft                                                   Tarsnap
Intended status: Informational                              S. Josefsson
Expires: November 19, 2016                                        SJD AB
                                                            May 18, 2016

           The scrypt Password-Based Key Derivation Function
                     draft-josefsson-scrypt-kdf-05

Abstract

   This document specifies the password-based key derivation function
   scrypt.  The function derives one or more secret keys from a secret
   string.  It is based on memory-hard functions which offer added
   protection against attacks using custom hardware.  The document also
   provides an ASN.1 schema.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 19, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Percival & Josefsson    Expires November 19, 2016               [Page 1]
Internet-Draft                   scrypt                         May 2016

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Scrypt Parameters . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The Salsa20/8 Core Function . . . . . . . . . . . . . . . . .   4
   4.  The scryptBlockMix Algorithm  . . . . . . . . . . . . . . . .   4
   5.  The scryptROMix Algorithm . . . . . . . . . . . . . . . . . .   5
   6.  The scrypt Algorithm  . . . . . . . . . . . . . . . . . . . .   6
   7.  ASN.1 Syntax  . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   8
   8.  Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . .   9
   9.  Test Vectors for scryptBlockMix . . . . . . . . . . . . . . .   9
   10. Test Vectors for scryptROMix  . . . . . . . . . . . . . . . .  10
   11. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . .  11
   12. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . .  11
   13. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . .  12
   14. Copying Conditions  . . . . . . . . . . . . . . . . . . . . .  13
   15. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  13
   16. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   17. Security Considerations . . . . . . . . . . . . . . . . . . .  13
   18. References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     18.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     18.2.  Informative References . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   Password-based key derivation functions are used in cryptography and
   security protocols for deriving one or more secret keys from a secret
   value.  Over the years, several password-based key derivation
   functions have been used, including the original DES-based UNIX
   Crypt-function, FreeBSD MD5 crypt, PKCS#5 PBKDF2 [RFC2898] (typically
   used with SHA-1), GNU SHA-256/512 crypt [SHA2CRYPT], Windows NT LAN
   Manager (NTLM) [NTLM] hash, and the Blowfish-based bcrypt [BCRYPT].
   These algorithms are all based on a cryptographic primitive combined
   with salting and/or iteration.  The iteration count is used to slow
   down the computation, and the salt is used to make pre-computation
   costlier.

   All password-based key derivation functions mentioned above share the
Show full document text