[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Canonical way to invoke the KDF?

To: Colin Percival <cperciva@tarsnap.com>
Subject: Re: Canonical way to invoke the KDF?
From: Ron Garret <ron@flownet.com>
Date: Fri, 15 Nov 2013 16:09:24 -0800
Cc: Laurens Van Houtven <_@lvh.cc>, scrypt@tarsnap.com
In-reply-to: <5286A858.3060906@tarsnap.com>
References: <CAE_Hg6Zcj_XxkTTwdnXf_pufXymn_td33vkEXoA+iAssjpOMEg@mail.gmail.com> <5286A858.3060906@tarsnap.com>

Since we’re on this topic, I have a question/suggestion:

>The parameter N must be a power of 2 greater than 1.

It seems to me that it would be better to specify that the input parameter n should simply be a positive integer and have the computation of N=2^n be part of the scrypt algorithm.  Is there a reason you didn’t do it that way?

rg


On Nov 15, 2013, at 3:03 PM, Colin Percival <cperciva@tarsnap.com> wrote:

> On 11/15/13 08:09, Laurens Van Houtven wrote:
>> I'm e-mailing this on behalf of PyCA. We're a group of Python hackers trying to
>> improve the state of cryptographic libraries in Python, and trying to provide
>> APIs that people can't get wrong. (The current state is that some of the
>> libraries aren't great, and the APIs are way too low level.)
>> 
>> I was wondering if the canonical way to use scrypt as a KDF, particularly for
>> purposes of password storage) is documented anywhere. The big implementation
>> right now for Python suggests writing one using enc/dec functions (so the file
>> encryption thing that is included in the tarball as a demo), but that seems kind
>> of orthogonal to the actual key derivation part :)
> 
> You want to call crypto_scrypt.  The rest of the code might be useful for
> figuring out what parameters to provide (for N in particular), but you might
> get away with just picking reasonable fixed values and planning on bumping
> them every few years.
> 
> /**
> * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
> * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
> * p, buflen) and write the result into buf.  The parameters r, p, and buflen
> * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
> * must be a power of 2 greater than 1.
> *
> * Return 0 on success; or -1 on error.
> */
> int crypto_scrypt(const uint8_t *, size_t, const uint8_t *, size_t, uint64_t,
>    uint32_t, uint32_t, uint8_t *, size_t);
> 
> -- 
> Colin Percival
> Security Officer Emeritus, FreeBSD | The power to serve
> Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
>

Follow-Ups:
- Re: Canonical way to invoke the KDF?
  - From: Colin Percival <cperciva@tarsnap.com>

References:
- Canonical way to invoke the KDF?
  - From: Laurens Van Houtven <_@lvh.cc>
- Re: Canonical way to invoke the KDF?
  - From: Colin Percival <cperciva@tarsnap.com>

Prev by Date: Re: Canonical way to invoke the KDF?
Next by Date: Re: Canonical way to invoke the KDF?
Previous by thread: Re: Canonical way to invoke the KDF?
Next by thread: Re: Canonical way to invoke the KDF?
Index(es):
- Date
- Thread