[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

scrypt encryption utility - choice of IV/nonce (and command line interface)

To: scrypt@tarsnap.com
Subject: scrypt encryption utility - choice of IV/nonce (and command line interface)
From: "Derek (Tarsnap)" <50afda99@razorfever.net>
Date: Fri, 23 Nov 2012 16:16:08 -0500

Hi everyone!

Just looking through the source of the scrypt utility.

I'd like to understand why a constant (0) was chosen for thenonce for AES CTR mode. I understand that since the key we'reusing has an extremely low chance of ever being used twice (dueto pre-salting), and that the output of AES CTR is key-dependant,it would not really be a problem.

Would there be any harm in using say, the first 8 bytes of theheader HMAC, or the last 8-bytes of the derived key, instead of aconstant?

At best, this would incorporate some of the non-used key materialinto the output of the AES CTR (strengthening it?).

At worst, it wouldn't make things any better. (Is there adrawback that I'm not seeing, that this would cause?)

You'd need to increment the file version, but otherwise the fileformat could remain unchanged.


Any interest in a patch for this?

A side note, I'd like to make the utility a little morecommand-line friendly, especially respect with pipes. Anyinterest in seeing a patch that has "-" as a valid infile, andperhaps -k keyfile for specifying a file containing the password?


Thanks!
- Derek

Follow-Ups:
- Re: scrypt encryption utility - choice of IV/nonce (and command line interface)
  - From: Colin Percival <cperciva@tarsnap.com>

Prev by Date: Re: scrypt Integerify
Next by Date: Re: scrypt encryption utility - choice of IV/nonce (and command line interface)
Previous by thread: scrypt Integerify
Next by thread: Re: scrypt encryption utility - choice of IV/nonce (and command line interface)
Index(es):
- Date
- Thread