You are right - the scrypt functions these two links work with are a scrypt file encryption utility, not a basic kdf. I was slowly working on creating a standalone encryption-based password for python and I ran into this problem myself.
The scrypt file utility does the following: selects the scrypt n / r / p parameters specific to your system and the "min time" parameter. Then it generates 32 bytes of salt, and then calls scrypt(n,r,p,salt,pwd) to create a key of 64 bytes. The binary string returned by the tool consists of: 1) a header containing the values of n, r, p and the salt encoded in binary format; 2) checksum sha256 header; and 3) a signed copy of the hmac-sha256 checksum using the first 32 bytes of the key. After that, it uses the remaining 32 bytes of the key to encrypt the AES input.
There are several consequences of this that I see:
the input is meaningless, since it actually does not affect the salt used and encrypts () every time it generates a new salt.
you cannot configure the n, r, p workload manually or in any other way than the inconvenient min-time parameter. it is unsafe, but it is a rather inconvenient way to control the working factor.
after the decrypted call regenerates the key and compares it with hmac, it will reject everything there if your password is incorrect, but if it is correct, it will also continue to decrypt the data packet. This is a lot of additional work that an attacker should not do - they do not even need to output 64 bytes, but only 32, which are necessary to verify the signature. This problem does not make it unreliable, but doing work that your attacker does not is never desirable.
There is no way to adjust the salt key, size of the derivative key, etc. current values are not so bad, but still not perfect.
the “maximum time” decryption limit is not true for password hashing — each time decryption is called, it evaluates the speed of your system and makes some guesses as to whether it can calculate the key for the maximum time — which is more overhead, your attacker doesn’t should do (see No. 3), but it also means that decryption can begin to reject passwords during heavy system boot.
I'm not sure why Colin Percival did not make part of the kdf code and parameter, choosing the part of the public api, but it introduces the explicitly marked "private" inside the source code, not even exported for binding. It makes me hesitate to just access it directly without much study.
In general, you need a good hash format that can store a screenshot and implementation, which provides a basic algorithm for choosing kdf and parameters. I am currently working on this for passlib , but he did not see much attention :(
Only on the bottom line, though - these instructions on the site are “good”, I would just use an empty line as the contents of the file and be aware of the extra overhead and problems.
Eli Collins Dec 01 '12 at 20:17 2012-12-01 20:17
source share