[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Canonical way to invoke the KDF?
On 11/15/13 08:09, Laurens Van Houtven wrote:
> I'm e-mailing this on behalf of PyCA. We're a group of Python hackers trying to
> improve the state of cryptographic libraries in Python, and trying to provide
> APIs that people can't get wrong. (The current state is that some of the
> libraries aren't great, and the APIs are way too low level.)
>
> I was wondering if the canonical way to use scrypt as a KDF, particularly for
> purposes of password storage) is documented anywhere. The big implementation
> right now for Python suggests writing one using enc/dec functions (so the file
> encryption thing that is included in the tarball as a demo), but that seems kind
> of orthogonal to the actual key derivation part :)
You want to call crypto_scrypt. The rest of the code might be useful for
figuring out what parameters to provide (for N in particular), but you might
get away with just picking reasonable fixed values and planning on bumping
them every few years.
/**
* crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
* Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
* p, buflen) and write the result into buf. The parameters r, p, and buflen
* must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N
* must be a power of 2 greater than 1.
*
* Return 0 on success; or -1 on error.
*/
int crypto_scrypt(const uint8_t *, size_t, const uint8_t *, size_t, uint64_t,
uint32_t, uint32_t, uint8_t *, size_t);
--
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid