The scrypt Password-Based Key Derivation Function
RFC 7914
| Document | Type |
RFC - Informational
(August 2016; Errata)
Was draft-josefsson-scrypt-kdf (individual)
|
|
|---|---|---|---|
| Last updated | 2019-10-09 | ||
| Stream | IETF | ||
| Formats | plain text pdf htmlized with errata bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | Rich Salz | ||
| Shepherd write-up | Show (last changed 2015-07-04) | ||
| IESG | IESG state | RFC 7914 (Informational) | |
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Stephen Farrell | ||
| Send notices to | (None) | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | No IANA Actions | ||
Internet Engineering Task Force (IETF) C. Percival
Request for Comments: 7914 Tarsnap
Category: Informational S. Josefsson
ISSN: 2070-1721 SJD AB
August 2016
The scrypt Password-Based Key Derivation Function
Abstract
This document specifies the password-based key derivation function
scrypt. The function derives one or more secret keys from a secret
string. It is based on memory-hard functions, which offer added
protection against attacks using custom hardware. The document also
provides an ASN.1 schema.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7914.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Percival & Josefsson Informational [Page 1]
RFC 7914 scrypt PBKDF August 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. scrypt Parameters . . . . . . . . . . . . . . . . . . . . . . 3
3. The Salsa20/8 Core Function . . . . . . . . . . . . . . . . . 4
4. The scryptBlockMix Algorithm . . . . . . . . . . . . . . . . 5
5. The scryptROMix Algorithm . . . . . . . . . . . . . . . . . . 6
6. The scrypt Algorithm . . . . . . . . . . . . . . . . . . . . 7
7. ASN.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 9
8. Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . . 9
9. Test Vectors for scryptBlockMix . . . . . . . . . . . . . . . 10
10. Test Vectors for scryptROMix . . . . . . . . . . . . . . . . 11
11. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . . 12
12. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . . 13
13. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . . 14
14. Security Considerations . . . . . . . . . . . . . . . . . . . 14
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
15.1. Normative References . . . . . . . . . . . . . . . . . . 15
15.2. Informative References . . . . . . . . . . . . . . . . . 15
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
Password-based key derivation functions are used in cryptography and
security protocols for deriving one or more secret keys from a secret
value. Over the years, several password-based key derivation
functions have been used, including the original DES-based UNIX
Crypt-function, FreeBSD MD5 crypt, Public-Key Cryptography
Standards#5 (PKCS#5) PBKDF2 [RFC2898] (typically used with SHA-1),
GNU SHA-256/512 crypt [SHA2CRYPT], Windows NT LAN Manager (NTLM)
[NTLM] hash, and the Blowfish-based bcrypt [BCRYPT]. These
algorithms are all based on a cryptographic primitive combined with
salting and/or iteration. The iteration count is used to slow down
the computation, and the salt is used to make pre-computation
costlier.
All password-based key derivation functions mentioned above share the
same weakness against powerful attackers. Provided that the number
of iterations used is increased as computer systems get faster, this
allows legitimate users to spend a constant amount of time on key
derivation without losing ground to attackers' ever-increasing
computing power -- as long as attackers are limited to the same
software implementations as legitimate users. While parallelized
Show full document text