1EVP_KDF_SCRYPT(7) OpenSSL EVP_KDF_SCRYPT(7)
2
3
4
6 EVP_KDF_SCRYPT - The scrypt EVP_KDF implementation
7
9 Support for computing the scrypt password-based KDF through the EVP_KDF
10 API.
11
12 The EVP_KDF_SCRYPT algorithm implements the scrypt password-based key
13 derivation function, as described in RFC 7914. It is memory-hard in
14 the sense that it deliberately requires a significant amount of RAM for
15 efficient computation. The intention of this is to render brute forcing
16 of passwords on systems that lack large amounts of main memory (such as
17 GPUs or ASICs) computationally infeasible.
18
19 scrypt provides three work factors that can be customized: N, r and p.
20 N, which has to be a positive power of two, is the general work factor
21 and scales CPU time in an approximately linear fashion. r is the block
22 size of the internally used hash function and p is the parallelization
23 factor. Both r and p need to be greater than zero. The amount of RAM
24 that scrypt requires for its computation is roughly (128 * N * r * p)
25 bytes.
26
27 In the original paper of Colin Percival ("Stronger Key Derivation via
28 Sequential Memory-Hard Functions", 2009), the suggested values that
29 give a computation time of less than 5 seconds on a 2.5 GHz Intel Core
30 2 Duo are N = 2^20 = 1048576, r = 8, p = 1. Consequently, the required
31 amount of memory for this computation is roughly 1 GiB. On a more
32 recent CPU (Intel i7-5930K at 3.5 GHz), this computation takes about 3
33 seconds. When N, r or p are not specified, they default to 1048576, 8,
34 and 1, respectively. The maximum amount of RAM that may be used by
35 scrypt defaults to 1025 MiB.
36
37 Numeric identity
38 EVP_KDF_SCRYPT is the numeric identity for this implementation; it can
39 be used with the EVP_KDF_CTX_new_id() function.
40
41 Supported controls
42 The supported controls are:
43
44 EVP_KDF_CTRL_SET_PASS
45 EVP_KDF_CTRL_SET_SALT
46 These controls work as described in "CONTROLS" in EVP_KDF_CTX(3).
47
48 EVP_KDF_CTRL_SET_SCRYPT_N
49 EVP_KDF_CTRL_SET_SCRYPT_R
50 EVP_KDF_CTRL_SET_SCRYPT_P
51 EVP_KDF_CTRL_SET_SCRYPT_N expects one argument: "uint64_t N"
52
53 EVP_KDF_CTRL_SET_SCRYPT_R expects one argument: "uint32_t r"
54
55 EVP_KDF_CTRL_SET_SCRYPT_P expects one argument: "uint32_t p"
56
57 These controls configure the scrypt work factors N, r and p.
58
59 EVP_KDF_ctrl_str() type strings: "N", "r" and "p", respectively.
60
61 The corresponding value strings are expected to be decimal numbers.
62
64 A context for scrypt can be obtained by calling:
65
66 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
67
68 The output length of an scrypt key derivation is specified via the
69 keylen parameter to the EVP_KDF_derive(3) function.
70
72 This example derives a 64-byte long test vector using scrypt with the
73 password "password", salt "NaCl" and N = 1024, r = 8, p = 16.
74
75 EVP_KDF_CTX *kctx;
76 unsigned char out[64];
77
78 kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
79
80 if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
81 error("EVP_KDF_CTRL_SET_PASS");
82 }
83 if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) {
84 error("EVP_KDF_CTRL_SET_SALT");
85 }
86 if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) {
87 error("EVP_KDF_CTRL_SET_SCRYPT_N");
88 }
89 if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) {
90 error("EVP_KDF_CTRL_SET_SCRYPT_R");
91 }
92 if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) {
93 error("EVP_KDF_CTRL_SET_SCRYPT_P");
94 }
95 if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
96 error("EVP_KDF_derive");
97 }
98
99 {
100 const unsigned char expected[sizeof(out)] = {
101 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
102 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
103 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
104 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
105 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
106 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
107 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
108 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
109 };
110
111 assert(!memcmp(out, expected, sizeof(out)));
112 }
113
114 EVP_KDF_CTX_free(kctx);
115
117 RFC 7914
118
120 EVP_KDF_CTX, EVP_KDF_CTX_new_id(3), EVP_KDF_CTX_free(3),
121 EVP_KDF_ctrl(3), EVP_KDF_derive(3), "CONTROLS" in EVP_KDF_CTX(3)
122
124 Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
125
126 Licensed under the OpenSSL license (the "License"). You may not use
127 this file except in compliance with the License. You can obtain a copy
128 in the file LICENSE in the source distribution or at
129 <https://www.openssl.org/source/license.html>.
130
131
132
1331.1.1l 2021-09-15 EVP_KDF_SCRYPT(7)