The scrypt Password-Based Key Derivation Function
RFC 7914

Document Type RFC - Informational (August 2016; No errata)
Last updated 2016-08-17
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state (None)
Document shepherd Rich Salz
Shepherd write-up Show (last changed 2015-07-04)
IESG IESG state RFC 7914 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IC
Internet Engineering Task Force (IETF)                       C. Percival
Request for Comments: 7914                                       Tarsnap
Category: Informational                                     S. Josefsson
ISSN: 2070-1721                                                   SJD AB
                                                             August 2016

           The scrypt Password-Based Key Derivation Function

Abstract

   This document specifies the password-based key derivation function
   scrypt.  The function derives one or more secret keys from a secret
   string.  It is based on memory-hard functions, which offer added
   protection against attacks using custom hardware.  The document also
   provides an ASN.1 schema.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7914.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Percival & Josefsson          Informational                     [Page 1]
RFC 7914                      scrypt PBKDF                   August 2016

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  scrypt Parameters . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The Salsa20/8 Core Function . . . . . . . . . . . . . . . . .   4
   4.  The scryptBlockMix Algorithm  . . . . . . . . . . . . . . . .   5
   5.  The scryptROMix Algorithm . . . . . . . . . . . . . . . . . .   6
   6.  The scrypt Algorithm  . . . . . . . . . . . . . . . . . . . .   7
   7.  ASN.1 Syntax  . . . . . . . . . . . . . . . . . . . . . . . .   8
     7.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . .   9
   9.  Test Vectors for scryptBlockMix . . . . . . . . . . . . . . .  10
   10. Test Vectors for scryptROMix  . . . . . . . . . . . . . . . .  11
   11. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . .  12
   12. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . .  13
   13. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . .  14
   14. Security Considerations . . . . . . . . . . . . . . . . . . .  14
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     15.1.  Normative References . . . . . . . . . . . . . . . . . .  15
     15.2.  Informative References . . . . . . . . . . . . . . . . .  15
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16

1.  Introduction

   Password-based key derivation functions are used in cryptography and
   security protocols for deriving one or more secret keys from a secret
   value.  Over the years, several password-based key derivation
   functions have been used, including the original DES-based UNIX
   Crypt-function, FreeBSD MD5 crypt, Public-Key Cryptography
   Standards#5 (PKCS#5) PBKDF2 [RFC2898] (typically used with SHA-1),
   GNU SHA-256/512 crypt [SHA2CRYPT], Windows NT LAN Manager (NTLM)
   [NTLM] hash, and the Blowfish-based bcrypt [BCRYPT].  These
   algorithms are all based on a cryptographic primitive combined with
   salting and/or iteration.  The iteration count is used to slow down
   the computation, and the salt is used to make pre-computation
   costlier.

   All password-based key derivation functions mentioned above share the
   same weakness against powerful attackers.  Provided that the number
   of iterations used is increased as computer systems get faster, this
   allows legitimate users to spend a constant amount of time on key
Show full document text