Re: Canonical way to invoke the KDF?

[Colin Percival <cperciva@tarsnap.com>]

On 11/15/13 08:09, Laurens Van Houtven wrote:
> I'm e-mailing this on behalf of PyCA. We're a group of Python hackers trying to
> improve the state of cryptographic libraries in Python, and trying to provide
> APIs that people can't get wrong. (The current state is that some of the
> libraries aren't great, and the APIs are way too low level.)
> 
> I was wondering if the canonical way to use scrypt as a KDF, particularly for
> purposes of password storage) is documented anywhere. The big implementation
> right now for Python suggests writing one using enc/dec functions (so the file
> encryption thing that is included in the tarball as a demo), but that seems kind
> of orthogonal to the actual key derivation part :)

You want to call crypto_scrypt.  The rest of the code might be useful for
figuring out what parameters to provide (for N in particular), but you might
get away with just picking reasonable fixed values and planning on bumping
them every few years.

/**
 * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
 * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
 * p, buflen) and write the result into buf.  The parameters r, p, and buflen
 * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
 * must be a power of 2 greater than 1.
 *
 * Return 0 on success; or -1 on error.
 */
int crypto_scrypt(const uint8_t *, size_t, const uint8_t *, size_t, uint64_t,
    uint32_t, uint32_t, uint8_t *, size_t);

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid