The scrypt Password-Based Key Derivation Function
RFC 7914
Document | Type |
RFC - Informational
(August 2016; Errata)
Was draft-josefsson-scrypt-kdf (individual)
|
|
---|---|---|---|
Authors | Colin Percival , Simon Josefsson | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | Rich Salz | ||
Shepherd write-up | Show (last changed 2015-07-04) | ||
IESG | IESG state | RFC 7914 (Informational) | |
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Stephen Farrell | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Internet Engineering Task Force (IETF) C. Percival Request for Comments: 7914 Tarsnap Category: Informational S. Josefsson ISSN: 2070-1721 SJD AB August 2016 The scrypt Password-Based Key Derivation Function Abstract This document specifies the password-based key derivation function scrypt. The function derives one or more secret keys from a secret string. It is based on memory-hard functions, which offer added protection against attacks using custom hardware. The document also provides an ASN.1 schema. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7914. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Percival & Josefsson Informational [Page 1] RFC 7914 scrypt PBKDF August 2016 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. scrypt Parameters . . . . . . . . . . . . . . . . . . . . . . 3 3. The Salsa20/8 Core Function . . . . . . . . . . . . . . . . . 4 4. The scryptBlockMix Algorithm . . . . . . . . . . . . . . . . 5 5. The scryptROMix Algorithm . . . . . . . . . . . . . . . . . . 6 6. The scrypt Algorithm . . . . . . . . . . . . . . . . . . . . 7 7. ASN.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . 8 7.1. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 9 8. Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . . 9 9. Test Vectors for scryptBlockMix . . . . . . . . . . . . . . . 10 10. Test Vectors for scryptROMix . . . . . . . . . . . . . . . . 11 11. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . . 12 12. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . . 13 13. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . . 14 14. Security Considerations . . . . . . . . . . . . . . . . . . . 14 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 15.1. Normative References . . . . . . . . . . . . . . . . . . 15 15.2. Informative References . . . . . . . . . . . . . . . . . 15 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction Password-based key derivation functions are used in cryptography and security protocols for deriving one or more secret keys from a secret value. Over the years, several password-based key derivation functions have been used, including the original DES-based UNIX Crypt-function, FreeBSD MD5 crypt, Public-Key Cryptography Standards#5 (PKCS#5) PBKDF2 [RFC2898] (typically used with SHA-1), GNU SHA-256/512 crypt [SHA2CRYPT], Windows NT LAN Manager (NTLM) [NTLM] hash, and the Blowfish-based bcrypt [BCRYPT]. These algorithms are all based on a cryptographic primitive combined with salting and/or iteration. The iteration count is used to slow down the computation, and the salt is used to make pre-computation costlier. All password-based key derivation functions mentioned above share the same weakness against powerful attackers. Provided that the number of iterations used is increased as computer systems get faster, this allows legitimate users to spend a constant amount of time on key derivation without losing ground to attackers' ever-increasing computing power -- as long as attackers are limited to the same software implementations as legitimate users. While parallelizedShow full document text