1*4724848cSchristos=pod 2*4724848cSchristos 3*4724848cSchristos=head1 NAME 4*4724848cSchristos 5*4724848cSchristosscrypt - EVP_PKEY scrypt KDF support 6*4724848cSchristos 7*4724848cSchristos=head1 DESCRIPTION 8*4724848cSchristos 9*4724848cSchristosThe EVP_PKEY_SCRYPT algorithm implements the scrypt password based key 10*4724848cSchristosderivation function, as described in RFC 7914. It is memory-hard in the sense 11*4724848cSchristosthat it deliberately requires a significant amount of RAM for efficient 12*4724848cSchristoscomputation. The intention of this is to render brute forcing of passwords on 13*4724848cSchristossystems that lack large amounts of main memory (such as GPUs or ASICs) 14*4724848cSchristoscomputationally infeasible. 15*4724848cSchristos 16*4724848cSchristosscrypt provides three work factors that can be customized: N, r and p. N, which 17*4724848cSchristoshas to be a positive power of two, is the general work factor and scales CPU 18*4724848cSchristostime in an approximately linear fashion. r is the block size of the internally 19*4724848cSchristosused hash function and p is the parallelization factor. Both r and p need to be 20*4724848cSchristosgreater than zero. The amount of RAM that scrypt requires for its computation 21*4724848cSchristosis roughly (128 * N * r * p) bytes. 22*4724848cSchristos 23*4724848cSchristosIn the original paper of Colin Percival ("Stronger Key Derivation via 24*4724848cSchristosSequential Memory-Hard Functions", 2009), the suggested values that give a 25*4724848cSchristoscomputation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = 26*4724848cSchristos2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for 27*4724848cSchristosthis computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.5 28*4724848cSchristosGHz), this computation takes about 3 seconds. When N, r or p are not specified, 29*4724848cSchristosthey default to 1048576, 8, and 1, respectively. The default amount of RAM that 30*4724848cSchristosmay be used by scrypt defaults to 1025 MiB. 31*4724848cSchristos 32*4724848cSchristos=head1 NOTES 33*4724848cSchristos 34*4724848cSchristosA context for scrypt can be obtained by calling: 35*4724848cSchristos 36*4724848cSchristos EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); 37*4724848cSchristos 38*4724848cSchristosThe output length of an scrypt key derivation is specified via the 39*4724848cSchristoslength parameter to the L<EVP_PKEY_derive(3)> function. 40*4724848cSchristos 41*4724848cSchristos=head1 EXAMPLES 42*4724848cSchristos 43*4724848cSchristosThis example derives a 64-byte long test vector using scrypt using the password 44*4724848cSchristos"password", salt "NaCl" and N = 1024, r = 8, p = 16. 45*4724848cSchristos 46*4724848cSchristos EVP_PKEY_CTX *pctx; 47*4724848cSchristos unsigned char out[64]; 48*4724848cSchristos 49*4724848cSchristos size_t outlen = sizeof(out); 50*4724848cSchristos pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); 51*4724848cSchristos 52*4724848cSchristos if (EVP_PKEY_derive_init(pctx) <= 0) { 53*4724848cSchristos error("EVP_PKEY_derive_init"); 54*4724848cSchristos } 55*4724848cSchristos if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) { 56*4724848cSchristos error("EVP_PKEY_CTX_set1_pbe_pass"); 57*4724848cSchristos } 58*4724848cSchristos if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) { 59*4724848cSchristos error("EVP_PKEY_CTX_set1_scrypt_salt"); 60*4724848cSchristos } 61*4724848cSchristos if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) { 62*4724848cSchristos error("EVP_PKEY_CTX_set_scrypt_N"); 63*4724848cSchristos } 64*4724848cSchristos if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) { 65*4724848cSchristos error("EVP_PKEY_CTX_set_scrypt_r"); 66*4724848cSchristos } 67*4724848cSchristos if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) { 68*4724848cSchristos error("EVP_PKEY_CTX_set_scrypt_p"); 69*4724848cSchristos } 70*4724848cSchristos if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { 71*4724848cSchristos error("EVP_PKEY_derive"); 72*4724848cSchristos } 73*4724848cSchristos 74*4724848cSchristos { 75*4724848cSchristos const unsigned char expected[sizeof(out)] = { 76*4724848cSchristos 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, 77*4724848cSchristos 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, 78*4724848cSchristos 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, 79*4724848cSchristos 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, 80*4724848cSchristos 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, 81*4724848cSchristos 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, 82*4724848cSchristos 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, 83*4724848cSchristos 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 84*4724848cSchristos }; 85*4724848cSchristos 86*4724848cSchristos assert(!memcmp(out, expected, sizeof(out))); 87*4724848cSchristos } 88*4724848cSchristos 89*4724848cSchristos EVP_PKEY_CTX_free(pctx); 90*4724848cSchristos 91*4724848cSchristos=head1 CONFORMING TO 92*4724848cSchristos 93*4724848cSchristosRFC 7914 94*4724848cSchristos 95*4724848cSchristos=head1 SEE ALSO 96*4724848cSchristos 97*4724848cSchristosL<EVP_PKEY_CTX_set1_scrypt_salt(3)>, 98*4724848cSchristosL<EVP_PKEY_CTX_set_scrypt_N(3)>, 99*4724848cSchristosL<EVP_PKEY_CTX_set_scrypt_r(3)>, 100*4724848cSchristosL<EVP_PKEY_CTX_set_scrypt_p(3)>, 101*4724848cSchristosL<EVP_PKEY_CTX_set_scrypt_maxmem_bytes(3)>, 102*4724848cSchristosL<EVP_PKEY_CTX_new(3)>, 103*4724848cSchristosL<EVP_PKEY_CTX_ctrl_str(3)>, 104*4724848cSchristosL<EVP_PKEY_derive(3)> 105*4724848cSchristos 106*4724848cSchristos=head1 COPYRIGHT 107*4724848cSchristos 108*4724848cSchristosCopyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. 109*4724848cSchristos 110*4724848cSchristosLicensed under the OpenSSL license (the "License"). You may not use 111*4724848cSchristosthis file except in compliance with the License. You can obtain a copy 112*4724848cSchristosin the file LICENSE in the source distribution or at 113*4724848cSchristosL<https://www.openssl.org/source/license.html>. 114*4724848cSchristos 115*4724848cSchristos=cut 116