Scrypt questions

[Barry Steyn <barry.steyn@gmail.com>]

Dear All

I am porting scrypt to nodejs. Actually, the port is mostly done (see ), what I did was "copy" the Python port. But I have run into some questions that need answering:

Question 1

Regaring the C scrypt implementation, after the decrypt call regenerates the key and compares it against the hmac, it will reject everything right there if your password is wrong - but if it's right, it'll proceed to also decrypt the data package.

Is the above statement correct? If so, this is doing a lot of extra work the attacker won't have to perform - they don't even have to derive 64 bytes, just the 32 needed to check the signature. Therefore should one ignore the decrypt implementation in the C implementation?

Question 2

the decrypt utility's "max time" limitation is wrong for password hashing - each time decrypt is called, it estimates your system's speed, and does some "guessing" as to whether it can calculate the key within max time - which is more overhead your attacker doesn't have to do, but also means it could start rejecting passwords under heavy load.

Can someone with knowledge please comment on the above quote? This is a serious problem if passwords are rejected under heavy load.

Question 3
I realise that it is a security flaw for key derivation functions to work quickly, but that must also be balanced with an acceptable throughput for any application that it will be used for. Does someone have any stats for the throughput of scrypt? And could it conceivably be used for a large company (lets think Google or Amazon) without it slowing down the authentication process too much?

Thanks in advance for the answers to these questions
Barry