scrypt.pod 3.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
  1. =pod
  2. =head1 NAME
  3. scrypt - EVP_PKEY scrypt KDF support
  4. =head1 DESCRIPTION
  5. The EVP_PKEY_SCRYPT algorithm implements the scrypt password based key
  6. derivation function, as described in RFC 7914. It is memory-hard in the sense
  7. that it deliberately requires a significant amount of RAM for efficient
  8. computation. The intention of this is to render brute forcing of passwords on
  9. systems that lack large amounts of main memory (such as GPUs or ASICs)
  10. computationally infeasible.
  11. scrypt provides three work factors that can be customized: N, r and p. N, which
  12. has to be a positive power of two, is the general work factor and scales CPU
  13. time in an approximately linear fashion. r is the block size of the internally
  14. used hash function and p is the parallelization factor. Both r and p need to be
  15. greater than zero. The amount of RAM that scrypt requires for its computation
  16. is roughly (128 * N * r * p) bytes.
  17. In the original paper of Colin Percival ("Stronger Key Derivation via
  18. Sequential Memory-Hard Functions", 2009), the suggested values that give a
  19. computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N =
  20. 2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for
  21. this computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.5
  22. GHz), this computation takes about 3 seconds. When N, r or p are not specified,
  23. they default to 1048576, 8, and 1, respectively. The default amount of RAM that
  24. may be used by scrypt defaults to 1025 MiB.
  25. =head1 NOTES
  26. A context for scrypt can be obtained by calling:
  27. EVP_PKEY_CTX *pctx = EVP_PKEY_new_id(EVP_PKEY_SCRYPT, NULL);
  28. The output length of an scrypt key derivation is specified via the
  29. length parameter to the L<EVP_PKEY_derive(3)> function.
  30. =head1 EXAMPLE
  31. This example derives a 64-byte long test vector using scrypt using the password
  32. "password", salt "NaCl" and N = 1024, r = 8, p = 16.
  33. EVP_PKEY_CTX *pctx;
  34. unsigned char out[64];
  35. size_t outlen = sizeof(out);
  36. pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);
  37. if (EVP_PKEY_derive_init(pctx) <= 0) {
  38. error("EVP_PKEY_derive_init");
  39. }
  40. if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) {
  41. error("EVP_PKEY_CTX_set1_pbe_pass");
  42. }
  43. if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) {
  44. error("EVP_PKEY_CTX_set1_scrypt_salt");
  45. }
  46. if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) {
  47. error("EVP_PKEY_CTX_set_scrypt_N");
  48. }
  49. if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) {
  50. error("EVP_PKEY_CTX_set_scrypt_r");
  51. }
  52. if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) {
  53. error("EVP_PKEY_CTX_set_scrypt_p");
  54. }
  55. if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
  56. error("EVP_PKEY_derive");
  57. }
  58. {
  59. const unsigned char expected[sizeof(out)] = {
  60. 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
  61. 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
  62. 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
  63. 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
  64. 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
  65. 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
  66. 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
  67. 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
  68. };
  69. assert(!memcmp(out, expected, sizeof(out)));
  70. }
  71. EVP_PKEY_CTX_free(pctx);
  72. =head1 CONFORMING TO
  73. RFC 7914
  74. =head1 SEE ALSO
  75. L<EVP_PKEY_CTX_set1_scrypt_salt(3)>,
  76. L<EVP_PKEY_CTX_set_scrypt_N(3)>,
  77. L<EVP_PKEY_CTX_set_scrypt_r(3)>,
  78. L<EVP_PKEY_CTX_set_scrypt_p(3)>,
  79. L<EVP_PKEY_CTX_set_scrypt_maxmem_bytes(3)>,
  80. L<EVP_PKEY_CTX_new(3)>,
  81. L<EVP_PKEY_CTX_ctrl_str(3)>,
  82. L<EVP_PKEY_derive(3)>
  83. =head1 COPYRIGHT
  84. Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
  85. Licensed under the OpenSSL license (the "License"). You may not use
  86. this file except in compliance with the License. You can obtain a copy
  87. in the file LICENSE in the source distribution or at
  88. L<https://www.openssl.org/source/license.html>.
  89. =cut