Internet Engineering Task Force (IETF)                       C. Percival
Request for Comments: 7914                                       Tarsnap
Category: Informational                                     S. Josefsson
ISSN: 2070-1721                                                   SJD AB
                                                             August 2016
        
Internet Engineering Task Force (IETF)                       C. Percival
Request for Comments: 7914                                       Tarsnap
Category: Informational                                     S. Josefsson
ISSN: 2070-1721                                                   SJD AB
                                                             August 2016
        

The scrypt Password-Based Key Derivation Function

基于scrypt密码的密钥派生函数

Abstract

摘要

This document specifies the password-based key derivation function scrypt. The function derives one or more secret keys from a secret string. It is based on memory-hard functions, which offer added protection against attacks using custom hardware. The document also provides an ASN.1 schema.

本文档指定了基于密码的密钥派生函数scrypt。该函数从一个秘密字符串派生一个或多个秘密密钥。它基于内存硬功能,为使用自定义硬件的攻击提供额外的保护。该文档还提供了ASN.1模式。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7914.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7914.

Copyright Notice

版权公告

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  scrypt Parameters . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The Salsa20/8 Core Function . . . . . . . . . . . . . . . . .   4
   4.  The scryptBlockMix Algorithm  . . . . . . . . . . . . . . . .   5
   5.  The scryptROMix Algorithm . . . . . . . . . . . . . . . . . .   6
   6.  The scrypt Algorithm  . . . . . . . . . . . . . . . . . . . .   7
   7.  ASN.1 Syntax  . . . . . . . . . . . . . . . . . . . . . . . .   8
     7.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . .   9
   9.  Test Vectors for scryptBlockMix . . . . . . . . . . . . . . .  10
   10. Test Vectors for scryptROMix  . . . . . . . . . . . . . . . .  11
   11. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . .  12
   12. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . .  13
   13. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . .  14
   14. Security Considerations . . . . . . . . . . . . . . . . . . .  14
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     15.1.  Normative References . . . . . . . . . . . . . . . . . .  15
     15.2.  Informative References . . . . . . . . . . . . . . . . .  15
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  scrypt Parameters . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The Salsa20/8 Core Function . . . . . . . . . . . . . . . . .   4
   4.  The scryptBlockMix Algorithm  . . . . . . . . . . . . . . . .   5
   5.  The scryptROMix Algorithm . . . . . . . . . . . . . . . . . .   6
   6.  The scrypt Algorithm  . . . . . . . . . . . . . . . . . . . .   7
   7.  ASN.1 Syntax  . . . . . . . . . . . . . . . . . . . . . . . .   8
     7.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  Test Vectors for Salsa20/8 Core . . . . . . . . . . . . . . .   9
   9.  Test Vectors for scryptBlockMix . . . . . . . . . . . . . . .  10
   10. Test Vectors for scryptROMix  . . . . . . . . . . . . . . . .  11
   11. Test Vectors for PBKDF2 with HMAC-SHA-256 . . . . . . . . . .  12
   12. Test Vectors for scrypt . . . . . . . . . . . . . . . . . . .  13
   13. Test Vectors for PKCS#8 . . . . . . . . . . . . . . . . . . .  14
   14. Security Considerations . . . . . . . . . . . . . . . . . . .  14
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     15.1.  Normative References . . . . . . . . . . . . . . . . . .  15
     15.2.  Informative References . . . . . . . . . . . . . . . . .  15
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16
        
1. Introduction
1. 介绍

Password-based key derivation functions are used in cryptography and security protocols for deriving one or more secret keys from a secret value. Over the years, several password-based key derivation functions have been used, including the original DES-based UNIX Crypt-function, FreeBSD MD5 crypt, Public-Key Cryptography Standards#5 (PKCS#5) PBKDF2 [RFC2898] (typically used with SHA-1), GNU SHA-256/512 crypt [SHA2CRYPT], Windows NT LAN Manager (NTLM) [NTLM] hash, and the Blowfish-based bcrypt [BCRYPT]. These algorithms are all based on a cryptographic primitive combined with salting and/or iteration. The iteration count is used to slow down the computation, and the salt is used to make pre-computation costlier.

基于密码的密钥派生函数用于密码学和安全协议中,用于从密钥值派生一个或多个密钥。多年来,已经使用了几种基于密码的密钥派生函数,包括原始的基于DES的UNIX密码函数、FreeBSD MD5密码、公钥密码标准#5(PKCS#5)PBKDF2[RFC2898](通常与SHA-1一起使用)、GNU SHA-256/512密码[SHA2CRYPT]、Windows NT LAN Manager(NTLM)[NTLM]哈希、,以及基于河豚的bcrypt[bcrypt]。这些算法都基于一个加密原语,结合了salt和/或迭代。迭代计数用于降低计算速度,而salt用于增加预计算成本。

All password-based key derivation functions mentioned above share the same weakness against powerful attackers. Provided that the number of iterations used is increased as computer systems get faster, this allows legitimate users to spend a constant amount of time on key derivation without losing ground to attackers' ever-increasing computing power -- as long as attackers are limited to the same software implementations as legitimate users. While parallelized hardware implementations may not change the number of operations performed compared to software implementations, this does not prevent them from dramatically changing the asymptotic cost, since in many

上述所有基于密码的密钥派生函数在抵御强大的攻击者时都有相同的弱点。如果使用的迭代次数随着计算机系统速度的提高而增加,这就允许合法用户在密钥推导上花费恒定的时间,而不会被攻击者不断增加的计算能力所削弱——只要攻击者被限制在与合法用户相同的软件实现上。虽然与软件实现相比,并行硬件实现可能不会改变执行的操作数量,但这并不妨碍它们显著改变渐近成本,因为在许多情况下

contexts -- including the embarrassingly parallel task of performing a brute-force search for a passphrase -- dollar-seconds are the most appropriate units for measuring the cost of a computation. As semiconductor technology develops, circuits do not merely become faster; they also become smaller, allowing for a larger amount of parallelism at the same cost.

上下文——包括对密码短语执行暴力搜索这一令人尴尬的并行任务——美元秒是衡量计算成本最合适的单位。随着半导体技术的发展,电路不仅变得更快;它们也变得更小,以相同的成本允许更大的并行性。

Consequently, with existing key derivation algorithms, even when the iteration count is increased so that the time taken to verify a password remains constant, the cost of finding a password by using a brute-force attack implemented in hardware drops each year.

因此,对于现有的密钥派生算法,即使迭代次数增加,从而验证密码所需的时间保持不变,使用硬件中实施的暴力攻击查找密码的成本每年都会下降。

The scrypt function aims to reduce the advantage that attackers can gain by using custom-designed parallel circuits for breaking password-based key derivation functions.

scrypt函数旨在减少攻击者通过使用自定义设计的并行电路来破坏基于密码的密钥派生函数而获得的优势。

This document does not introduce scrypt for the first time. The original scrypt paper [SCRYPT] was published as a peer-reviewed scientific paper and contains further background and discussions.

本文档并非首次介绍scrypt。最初的scrypt论文[scrypt]作为同行评审的科学论文发表,并包含进一步的背景和讨论。

The purpose of this document is to serve as a stable reference for documents making use of scrypt. The rest of this document is divided into sections that each describe parameter choices and algorithm steps needed for the final "scrypt" algorithm.

本文件旨在作为使用scrypt的文件的稳定参考。本文档的其余部分分为几个部分,每个部分描述最终“scrypt”算法所需的参数选择和算法步骤。

2. scrypt Parameters
2. scrypt参数

The scrypt function takes several parameters. The passphrase P is typically a human-chosen password. The salt is normally uniquely and randomly generated [RFC4086]. The parameter r ("blockSize") specifies the block size. The CPU/Memory cost parameter N ("costParameter") must be larger than 1, a power of 2, and less than 2^(128 * r / 8). The parallelization parameter p ("parallelizationParameter") is a positive integer less than or equal to ((2^32-1) * 32) / (128 * r). The intended output length dkLen is the length in octets of the key to be derived ("keyLength"); it is a positive integer less than or equal to (2^32 - 1) * 32.

scrypt函数接受多个参数。密码短语P通常是人工选择的密码。盐通常是唯一且随机生成的[RFC4086]。参数r(“块大小”)指定块大小。CPU/内存开销参数N(“costParameter”)必须大于1、2的幂次方且小于2^(128*r/8)。并行化参数p(“并行化参数”)是小于或等于((2^32-1)*32)/(128*r)的正整数。预期输出长度dkLen是要导出的密钥的长度(以八位字节为单位)(“密钥长度”);它是小于或等于(2^32-1)*32的正整数。

Users of scrypt can tune the parameters N, r, and p according to the amount of memory and computing power available, the latency-bandwidth product of the memory subsystem, and the amount of parallelism desired. At the current time, r=8 and p=1 appears to yield good results, but as memory latency and CPU parallelism increase, it is likely that the optimum values for both r and p will increase. Note also that since the computations of SMix are independent, a large value of p can be used to increase the computational cost of scrypt

scrypt的用户可以根据可用的内存量和计算能力、内存子系统的延迟带宽乘积以及所需的并行度来调整参数N、r和p。目前,r=8和p=1似乎产生了良好的结果,但随着内存延迟和CPU并行度的增加,r和p的最佳值可能会增加。还请注意,由于SMix的计算是独立的,因此可以使用较大的p值来增加scrypt的计算成本

without increasing the memory usage; so we can expect scrypt to remain useful even if the growth rates of CPU power and memory capacity diverge.

在不增加内存使用的情况下;因此,即使CPU功率和内存容量的增长率出现差异,我们也可以期望scrypt仍然有用。

3. The Salsa20/8 Core Function
3. Salsa20/8核心功能

Salsa20/8 Core is a round-reduced variant of the Salsa20 Core. It is a hash function from 64-octet strings to 64-octet strings. Note that Salsa20/8 Core is not a cryptographic hash function since it is not collision resistant. See Section 8 of [SALSA20SPEC] for its specification and [SALSA20CORE] for more information. The algorithm description, in C language, is included below as a stable reference, without endianness conversion and alignment.

Salsa20/8型芯是Salsa20型芯的一种圆形缩小型芯。它是从64个八位字符串到64个八位字符串的哈希函数。请注意,Salsa20/8核心不是加密哈希函数,因为它不抗冲突。有关其规范,请参见[SALSA20SPEC]第8节,有关更多信息,请参见[SALSA20CORE]。下面以C语言编写的算法描述作为稳定的参考,没有端点转换和对齐。

   #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
   void salsa20_word_specification(uint32 out[16],uint32 in[16])
   {
     int i;
     uint32 x[16];
     for (i = 0;i < 16;++i) x[i] = in[i];
     for (i = 8;i > 0;i -= 2) {
       x[ 4] ^= R(x[ 0]+x[12], 7);  x[ 8] ^= R(x[ 4]+x[ 0], 9);
       x[12] ^= R(x[ 8]+x[ 4],13);  x[ 0] ^= R(x[12]+x[ 8],18);
       x[ 9] ^= R(x[ 5]+x[ 1], 7);  x[13] ^= R(x[ 9]+x[ 5], 9);
       x[ 1] ^= R(x[13]+x[ 9],13);  x[ 5] ^= R(x[ 1]+x[13],18);
       x[14] ^= R(x[10]+x[ 6], 7);  x[ 2] ^= R(x[14]+x[10], 9);
       x[ 6] ^= R(x[ 2]+x[14],13);  x[10] ^= R(x[ 6]+x[ 2],18);
       x[ 3] ^= R(x[15]+x[11], 7);  x[ 7] ^= R(x[ 3]+x[15], 9);
       x[11] ^= R(x[ 7]+x[ 3],13);  x[15] ^= R(x[11]+x[ 7],18);
       x[ 1] ^= R(x[ 0]+x[ 3], 7);  x[ 2] ^= R(x[ 1]+x[ 0], 9);
       x[ 3] ^= R(x[ 2]+x[ 1],13);  x[ 0] ^= R(x[ 3]+x[ 2],18);
       x[ 6] ^= R(x[ 5]+x[ 4], 7);  x[ 7] ^= R(x[ 6]+x[ 5], 9);
       x[ 4] ^= R(x[ 7]+x[ 6],13);  x[ 5] ^= R(x[ 4]+x[ 7],18);
       x[11] ^= R(x[10]+x[ 9], 7);  x[ 8] ^= R(x[11]+x[10], 9);
       x[ 9] ^= R(x[ 8]+x[11],13);  x[10] ^= R(x[ 9]+x[ 8],18);
       x[12] ^= R(x[15]+x[14], 7);  x[13] ^= R(x[12]+x[15], 9);
       x[14] ^= R(x[13]+x[12],13);  x[15] ^= R(x[14]+x[13],18);
     }
     for (i = 0;i < 16;++i) out[i] = x[i] + in[i];
   }
        
   #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
   void salsa20_word_specification(uint32 out[16],uint32 in[16])
   {
     int i;
     uint32 x[16];
     for (i = 0;i < 16;++i) x[i] = in[i];
     for (i = 8;i > 0;i -= 2) {
       x[ 4] ^= R(x[ 0]+x[12], 7);  x[ 8] ^= R(x[ 4]+x[ 0], 9);
       x[12] ^= R(x[ 8]+x[ 4],13);  x[ 0] ^= R(x[12]+x[ 8],18);
       x[ 9] ^= R(x[ 5]+x[ 1], 7);  x[13] ^= R(x[ 9]+x[ 5], 9);
       x[ 1] ^= R(x[13]+x[ 9],13);  x[ 5] ^= R(x[ 1]+x[13],18);
       x[14] ^= R(x[10]+x[ 6], 7);  x[ 2] ^= R(x[14]+x[10], 9);
       x[ 6] ^= R(x[ 2]+x[14],13);  x[10] ^= R(x[ 6]+x[ 2],18);
       x[ 3] ^= R(x[15]+x[11], 7);  x[ 7] ^= R(x[ 3]+x[15], 9);
       x[11] ^= R(x[ 7]+x[ 3],13);  x[15] ^= R(x[11]+x[ 7],18);
       x[ 1] ^= R(x[ 0]+x[ 3], 7);  x[ 2] ^= R(x[ 1]+x[ 0], 9);
       x[ 3] ^= R(x[ 2]+x[ 1],13);  x[ 0] ^= R(x[ 3]+x[ 2],18);
       x[ 6] ^= R(x[ 5]+x[ 4], 7);  x[ 7] ^= R(x[ 6]+x[ 5], 9);
       x[ 4] ^= R(x[ 7]+x[ 6],13);  x[ 5] ^= R(x[ 4]+x[ 7],18);
       x[11] ^= R(x[10]+x[ 9], 7);  x[ 8] ^= R(x[11]+x[10], 9);
       x[ 9] ^= R(x[ 8]+x[11],13);  x[10] ^= R(x[ 9]+x[ 8],18);
       x[12] ^= R(x[15]+x[14], 7);  x[13] ^= R(x[12]+x[15], 9);
       x[14] ^= R(x[13]+x[12],13);  x[15] ^= R(x[14]+x[13],18);
     }
     for (i = 0;i < 16;++i) out[i] = x[i] + in[i];
   }
        
4. The scryptBlockMix Algorithm
4. scryptBlockMix算法

The scryptBlockMix algorithm is the same as the BlockMix algorithm described in [SCRYPT] but with Salsa20/8 Core used as the hash function H. Below, Salsa(T) corresponds to the Salsa20/8 Core function applied to the octet vector T.

scryptBlockMix算法与[SCRYPT]中描述的BlockMix算法相同,但Salsa20/8核心用作哈希函数H。下文中,Salsa(T)对应于应用于八位元向量T的Salsa20/8核心函数。

Algorithm scryptBlockMix

算法scryptBlockMix

Parameters: r Block size parameter.

参数:r块大小参数。

Input: B[0] || B[1] || ... || B[2 * r - 1] Input octet string (of size 128 * r octets), treated as 2 * r 64-octet blocks, where each element in B is a 64-octet block.

输入:B[0]| | B[1]| | |……|B[2*r-1]输入八位字节字符串(大小为128*r八位字节),被视为2*r 64个八位字节块,其中B中的每个元素都是64个八位字节块。

Output: B'[0] || B'[1] || ... || B'[2 * r - 1] Output octet string.

输出:B'[0]| | B'[1]| |…| |B'[2*r-1]输出八位字节字符串。

Steps:

步骤:

1. X = B[2 * r - 1]

1. X=B[2*r-1]

2. for i = 0 to 2 * r - 1 do T = X xor B[i] X = Salsa (T) Y[i] = X end for

2. 对于i=0到2*r-1,T=xor B[i]X=Salsa(T)Y[i]=X结束

3. B' = (Y[0], Y[2], ..., Y[2 * r - 2], Y[1], Y[3], ..., Y[2 * r - 1])

3. B'=(Y[0],Y[2],…,Y[2*r-2],Y[1],Y[3],…,Y[2*r-1])

5. The scryptROMix Algorithm
5. scryptROMix算法

The scryptROMix algorithm is the same as the ROMix algorithm described in [SCRYPT] but with scryptBlockMix used as the hash function H and the Integerify function explained inline.

scryptROMix算法与[SCRYPT]中所述的ROMix算法相同,但scryptBlockMix用作哈希函数H和内联解释的整数函数。

Algorithm scryptROMix

算法scryptROMix

Input: r Block size parameter. B Input octet vector of length 128 * r octets. N CPU/Memory cost parameter, must be larger than 1, a power of 2, and less than 2^(128 * r / 8).

输入:r块大小参数。B长度为128*r八位字节的输入八位字节向量。N CPU/内存成本参数,必须大于1,幂为2,且小于2^(128*r/8)。

Output: B' Output octet vector of length 128 * r octets.

输出:长度为128*r八位字节的B'输出八位字节向量。

Steps:

步骤:

1. X = B

1. X=B

2. for i = 0 to N - 1 do V[i] = X X = scryptBlockMix (X) end for

2. 对于i=0到N-1,V[i]=X X=scryptBlockMix(X)结束

3. for i = 0 to N - 1 do j = Integerify (X) mod N where Integerify (B[0] ... B[2 * r - 1]) is defined as the result of interpreting B[2 * r - 1] as a little-endian integer. T = X xor V[j] X = scryptBlockMix (T) end for

3. 对于i=0到N-1,do j=Integerify(X)mod N,其中Integerify(B[0]…B[2*r-1])定义为将B[2*r-1]解释为小端整数的结果。T=X xor V[j]X=scryptBlockMix(T)结束

4. B' = X

4. B'=X

6. The scrypt Algorithm
6. scrypt算法

The PBKDF2-HMAC-SHA-256 function used below denotes the PBKDF2 algorithm [RFC2898] used with HMAC-SHA-256 [RFC6234] as the Pseudorandom Function (PRF). The HMAC-SHA-256 function generates 32-octet outputs.

下面使用的PBKDF2-HMAC-SHA-256函数表示将PBKDF2算法[RFC2898]与HMAC-SHA-256[RFC6234]一起用作伪随机函数(PRF)。HMAC-SHA-256函数生成32个八位字节输出。

Algorithm scrypt

算法scrypt

Input: P Passphrase, an octet string. S Salt, an octet string. N CPU/Memory cost parameter, must be larger than 1, a power of 2, and less than 2^(128 * r / 8). r Block size parameter. p Parallelization parameter, a positive integer less than or equal to ((2^32-1) * hLen) / MFLen where hLen is 32 and MFlen is 128 * r. dkLen Intended output length in octets of the derived key; a positive integer less than or equal to (2^32 - 1) * hLen where hLen is 32.

输入:P密码短语,一个八位字节字符串。S Salt,一个八进制字符串。N CPU/内存成本参数,必须大于1,幂为2,且小于2^(128*r/8)。r块大小参数。p并行化参数,小于或等于((2^32-1)*hLen)/MFLen的正整数,其中hLen为32,MFLen为128*r。dkLen导出密钥的预期输出长度(以八位字节为单位);小于或等于(2^32-1)*hLen的正整数,其中hLen为32。

Output: DK Derived key, of length dkLen octets.

输出:DK派生密钥,长度为dkLen八位字节。

Steps:

步骤:

1. Initialize an array B consisting of p blocks of 128 * r octets each: B[0] || B[1] || ... || B[p - 1] = PBKDF2-HMAC-SHA256 (P, S, 1, p * 128 * r)

1. 初始化由128*r个八位字节的p块组成的数组B:B[0]| | | B[1]| | |……| |B[p-1]=PBKDF2-HMAC-SHA256(p,S,1,p*128*r)

2. for i = 0 to p - 1 do B[i] = scryptROMix (r, B[i], N) end for

2. 对于i=0到p-1,B[i]=scryptROMix(r,B[i],N)结束

3. DK = PBKDF2-HMAC-SHA256 (P, B[0] || B[1] || ... || B[p - 1], 1, dkLen)

3. DK=PBKDF2-HMAC-SHA256(P,B[0]| | B[1]| | | B[P-1],1,dkLen)

7. ASN.1 Syntax
7. ASN.1语法

This section defines ASN.1 syntax for the scrypt key derivation function (KDF). This is intended to operate on the same abstraction level as PKCS#5's PBKDF2. The OID id-scrypt below can be used where id-PBKDF2 is used, with scrypt-params corresponding to PBKDF2-params. The intended application of these definitions includes PKCS #8 and other syntax for key management.

本节定义了scrypt密钥派生函数(KDF)的ASN.1语法。这是为了在与PKCS#5的PBKDF2相同的抽象级别上运行。下面的OID id scrypt可以在使用id-PBKDF2的地方使用,其中scrypt参数对应于PBKDF2参数。这些定义的预期应用包括PKCS#8和密钥管理的其他语法。

The object identifier id-scrypt identifies the scrypt key derivation function.

对象标识符id scrypt标识scrypt密钥派生函数。

   id-scrypt OBJECT IDENTIFIER ::= {1 3 6 1 4 1 11591 4 11}
        
   id-scrypt OBJECT IDENTIFIER ::= {1 3 6 1 4 1 11591 4 11}
        

The parameters field associated with this OID in an AlgorithmIdentifier shall have type scrypt-params:

算法标识符中与此OID相关的参数字段应具有类型scrypt params:

   scrypt-params ::= SEQUENCE {
          salt OCTET STRING,
          costParameter INTEGER (1..MAX),
          blockSize INTEGER (1..MAX),
          parallelizationParameter INTEGER (1..MAX),
          keyLength INTEGER (1..MAX) OPTIONAL }
        
   scrypt-params ::= SEQUENCE {
          salt OCTET STRING,
          costParameter INTEGER (1..MAX),
          blockSize INTEGER (1..MAX),
          parallelizationParameter INTEGER (1..MAX),
          keyLength INTEGER (1..MAX) OPTIONAL }
        

The fields of type scrypt-params have the following meanings:

scrypt params类型的字段具有以下含义:

- salt specifies the salt value. It shall be an octet string.

- salt指定salt值。它应为八位字节字符串。

- costParameter specifies the CPU/Memory cost parameter N.

- costParameter指定CPU/内存成本参数N。

- blockSize specifies the block size parameter r.

- blockSize指定块大小参数r。

- parallelizationParameter specifies the parallelization parameter.

- parallelizationParameter指定并行化参数。

- keyLength, an optional field, is the length in octets of the derived key. The maximum key length allowed depends on the implementation; it is expected that implementation profiles may further constrain the bounds. This field only provides convenience; the key length is not cryptographically protected.

- keyLength是一个可选字段,是派生密钥的长度(以八位字节为单位)。允许的最大密钥长度取决于实现;预计实现概要文件可能会进一步限制边界。这个领域只提供便利;密钥长度不受加密保护。

To be usable in PKCS#8 [RFC5208] and Asymmetric Key Packages [RFC5958], the following extension of the PBES2-KDFs type is needed:

要在PKCS#8[RFC5208]和非对称密钥包[RFC5958]中使用,需要PBES2 KDFs类型的以下扩展:

      PBES2-KDFs ALGORITHM-IDENTIFIER ::=
          { {scrypt-params IDENTIFIED BY id-scrypt}, ... }
        
      PBES2-KDFs ALGORITHM-IDENTIFIER ::=
          { {scrypt-params IDENTIFIED BY id-scrypt}, ... }
        
7.1. ASN.1 Module
7.1. ASN.1模块

For reference purposes, the ASN.1 syntax is presented as an ASN.1 module here.

出于参考目的,ASN.1语法在这里作为ASN.1模块提供。

-- scrypt ASN.1 Module

--scrypt ASN.1模块

scrypt-0 {1 3 6 1 4 1 11591 4 10}

scrypt-0{1 3 6 1 4 1 11591 4 10}

   DEFINITIONS ::= BEGIN
        
   DEFINITIONS ::= BEGIN
        
   id-scrypt OBJECT IDENTIFIER ::= {1 3 6 1 4 1 11591 4 11}
        
   id-scrypt OBJECT IDENTIFIER ::= {1 3 6 1 4 1 11591 4 11}
        
   scrypt-params ::= SEQUENCE {
       salt OCTET STRING,
       costParameter INTEGER (1..MAX),
       blockSize INTEGER (1..MAX),
       parallelizationParameter INTEGER (1..MAX),
       keyLength INTEGER (1..MAX) OPTIONAL
   }
        
   scrypt-params ::= SEQUENCE {
       salt OCTET STRING,
       costParameter INTEGER (1..MAX),
       blockSize INTEGER (1..MAX),
       parallelizationParameter INTEGER (1..MAX),
       keyLength INTEGER (1..MAX) OPTIONAL
   }
        
   PBES2-KDFs ALGORITHM-IDENTIFIER ::=
          { {scrypt-params IDENTIFIED BY id-scrypt}, ... }
        
   PBES2-KDFs ALGORITHM-IDENTIFIER ::=
          { {scrypt-params IDENTIFIED BY id-scrypt}, ... }
        

END

终止

8. Test Vectors for Salsa20/8 Core
8. Salsa20/8型芯的测试向量

Below is a sequence of octets that illustrate input and output values for the Salsa20/8 Core. The octets are hex encoded and whitespace is inserted for readability. The value corresponds to the first input and output pair generated by the first scrypt test vector below.

下面是一系列八位字节,用于说明Salsa20/8内核的输入和输出值。八位字节是十六进制编码的,为了可读性插入了空格。该值对应于下面第一个scrypt测试向量生成的第一个输入和输出对。

INPUT: 7e 87 9a 21 4f 3e c9 86 7c a9 40 e6 41 71 8f 26 ba ee 55 5b 8c 61 c1 b5 0d f8 46 11 6d cd 3b 1d ee 24 f3 19 df 9b 3d 85 14 12 1e 4b 5a c5 aa 32 76 02 1d 29 09 c7 48 29 ed eb c6 8d b8 b8 c2 5e

输入:7e 87 9a 21 4f 3e c9 86 7c a9 40 e6 41 71 8f 26 ba ee 55 5b 8c 61 c1 b5 0d f8 46 11 6d cd 3b 1d ee 24 f3 19 df 9b 3d 85 12 1e 4b 5a c5 aa 32 76 02 1d 29 09 c7 48 29 ed eb c6 8d b8 b8 c2 5e

OUTPUT: a4 1f 85 9c 66 08 cc 99 3b 81 ca cb 02 0c ef 05 04 4b 21 81 a2 fd 33 7d fd 7b 1c 63 96 68 2f 29 b4 39 31 68 e3 c9 e6 bc fe 6b c5 b7 a0 6d 96 ba e4 24 cc 10 2c 91 74 5c 24 ad 67 3d c7 61 8f 81

输出:a4 1f 85 9c 66 08 cc 99 3b 81 ca cb 02 0c ef 05 04 4b 21 81 a2 fd 33 7d fd 7b 1c 63 96 68 2f 29 b4 39 31 68 e3 c9 e6 bc fe 6b c5 b7 a0 6d 96 ba e4 24 cc 10 2c 91 74 5c 24 ad 67 3d c7 61 8f 81

9. Test Vectors for scryptBlockMix
9. scryptBlockMix的测试载体

Below is a sequence of octets that illustrate input and output values for scryptBlockMix. The test vector uses an r value of 1. The octets are hex encoded and whitespace is inserted for readability. The value corresponds to the first input and output pair generated by the first scrypt test vector below.

下面是一系列八位字节,说明了scryptBlockMix的输入和输出值。测试向量使用r值1。八位字节是十六进制编码的,为了可读性插入了空格。该值对应于下面第一个scrypt测试向量生成的第一个输入和输出对。

INPUT B[0] = f7 ce 0b 65 3d 2d 72 a4 10 8c f5 ab e9 12 ff dd 77 76 16 db bb 27 a7 0e 82 04 f3 ae 2d 0f 6f ad 89 f6 8f 48 11 d1 e8 7b cc 3b d7 40 0a 9f fd 29 09 4f 01 84 63 95 74 f3 9a e5 a1 31 52 17 bc d7

输入B[0]=f7 ce 0b 65 3d 2d 72 a4 10 8c f5 ab e9 12 ff dd 77 76 16 db bb 27 a7 0e 82 04 f3 ae 2d 0f 6f ad 89 f6 8f 48 11 d1 e8 7b cc 3b d7 40 0a 9f fd 29 09 4f 01 84 63 95 74 f3 9a e5 a1 31 52 17 bc d7

B[1] = 89 49 91 44 72 13 bb 22 6c 25 b5 4d a8 63 70 fb cd 98 43 80 37 46 66 bb 8f fc b5 bf 40 c2 54 b0 67 d2 7c 51 ce 4a d5 fe d8 29 c9 0b 50 5a 57 1b 7f 4d 1c ad 6a 52 3c da 77 0e 67 bc ea af 7e 89

B[1]=89 49 91 44 72 13 bb 22 6c 25 b5 4d a8 63 70 fb cd 98 43 80 37 46 bb 8f fc b5 bf 40 c2 54 b0 67 d2 7c 51 ce 4a d5 fe d8 29 c9 0b 50 5a 57 1b 7f 4d 1c ad 6a 52 3c da 77 0e 67 bc ea af 7e 89

OUTPUT B'[0] = a4 1f 85 9c 66 08 cc 99 3b 81 ca cb 02 0c ef 05 04 4b 21 81 a2 fd 33 7d fd 7b 1c 63 96 68 2f 29 b4 39 31 68 e3 c9 e6 bc fe 6b c5 b7 a0 6d 96 ba e4 24 cc 10 2c 91 74 5c 24 ad 67 3d c7 61 8f 81

输出B'[0]=a4 1f 85 9c 66 08 cc 99 3b 81 ca cb 02 0c ef 05 04 4b 21 81 a2 fd 33 7d fd 7b 1c 63 96 68 2f 29 b4 39 31 68 e3 c9 e6 bc fe 6b c5 b7 a0 6d 96 ba e4 24 cc 10 2c 91 74 5c 24 ad 67 3d c7 61 8f 81

B'[1] = 20 ed c9 75 32 38 81 a8 05 40 f6 4c 16 2d cd 3c 21 07 7c fe 5f 8d 5f e2 b1 a4 16 8f 95 36 78 b7 7d 3b 3d 80 3b 60 e4 ab 92 09 96 e5 9b 4d 53 b6 5d 2a 22 58 77 d5 ed f5 84 2c b9 f1 4e ef e4 25

B'[1]=20版c9 75 32 38 81 a8 05 40 f6 4c 16 2d cd 3c 21 07 7c fe 5f 8d 5f e2 b1 a4 16 8f 95 36 78 b7 7d 3b 3d 80 3b 60 e4 ab 92 09 96 e5 9b 4d 53 b6 5d 2a 22 58 77 d5 ed f5 84 2c b9 f1 4e e4 25

10. Test Vectors for scryptROMix
10. scryptROMix的测试载体

Below is a sequence of octets that illustrate input and output values for scryptROMix. The test vector uses an r value of 1 and an N value of 16. The octets are hex encoded and whitespace is inserted for readability. The value corresponds to the first input and output pair generated by the first scrypt test vector below.

下面是一系列八位字节,说明了scryptROMix的输入和输出值。测试向量使用r值1和N值16。八位字节是十六进制编码的,为了可读性插入了空格。该值对应于下面第一个scrypt测试向量生成的第一个输入和输出对。

INPUT: B = f7 ce 0b 65 3d 2d 72 a4 10 8c f5 ab e9 12 ff dd 77 76 16 db bb 27 a7 0e 82 04 f3 ae 2d 0f 6f ad 89 f6 8f 48 11 d1 e8 7b cc 3b d7 40 0a 9f fd 29 09 4f 01 84 63 95 74 f3 9a e5 a1 31 52 17 bc d7 89 49 91 44 72 13 bb 22 6c 25 b5 4d a8 63 70 fb cd 98 43 80 37 46 66 bb 8f fc b5 bf 40 c2 54 b0 67 d2 7c 51 ce 4a d5 fe d8 29 c9 0b 50 5a 57 1b 7f 4d 1c ad 6a 52 3c da 77 0e 67 bc ea af 7e 89

输入:B=f7 ce 0b 65 3d 2d 72 a4 10 8c f5 ab e9 12 ff dd 77 76 16 db bb 27 a7 0e 82 04 f3 ae 2d 0f ad 89 f6 8f 48 d1 e8 7b cc 3b d7 40 0a 9f fd 29 09 4f 01 84 63 95 74 f3 9a e5 a1 31 52 17 bc d7 89 49 44 72 bb 22 6c 25 b5 4d a8 63 70 fb cd 98 80 46 bb 8f fc b5 bf 40 c2 54 b0 67 d2 7c 51 CE5 d5 fe 29 c9 5B 50 57 7f4d 1c ad 6a 52 3c da 77 0e 67 bc ea af 7e 89

OUTPUT: B = 79 cc c1 93 62 9d eb ca 04 7f 0b 70 60 4b f6 b6 2c e3 dd 4a 96 26 e3 55 fa fc 61 98 e6 ea 2b 46 d5 84 13 67 3b 99 b0 29 d6 65 c3 57 60 1f b4 26 a0 b2 f4 bb a2 00 ee 9f 0a 43 d1 9b 57 1a 9c 71 ef 11 42 e6 5d 5a 26 6f dd ca 83 2c e5 9f aa 7c ac 0b 9c f1 be 2b ff ca 30 0d 01 ee 38 76 19 c4 ae 12 fd 44 38 f2 03 a0 e4 e1 c4 7e c3 14 86 1f 4e 90 87 cb 33 39 6a 68 73 e8 f9 d2 53 9a 4b 8e

输出:B=79 cc c1 93 62 9d eb ca 04 7f 0b 70 60 4b f6 b6 2c e3 dd 4a 96 26 e3 55 fa fc 61 98 e6 ea 2b 46 d5 84 13 67 3b 99 b0 29 d6 65 c3 57 60 1f b4 26 a0 b2 f4 bb a2 00 ee 0a 43 d1 9b 57 1a 9c 71 ef 11 42 e6 5d 5a 26 F dd ca 83 2c e5 9f aa 7c ac 0b f1是2b ff ca 30 0d 01 ee 38 76 19 ae 12 fd 44 38 f2 03 a0 e4 e1 c4 7e 14 864e 90 87 cb 33 39 6a 68 73 e8 f9 d2 53 9a 4b 8e

11. Test Vectors for PBKDF2 with HMAC-SHA-256
11. 带有HMAC-SHA-256的PBKDF2测试向量

Below is a sequence of octets that illustrate input and output values for PBKDF2-HMAC-SHA-256. The octets are hex encoded and whitespace is inserted for readability. The test vectors below can be used to verify the PBKDF2-HMAC-SHA-256 [RFC2898] function. The password and salt strings are passed as sequences of ASCII [RFC20] octets.

下面是一系列八位字节,用于说明PBKDF2-HMAC-SHA-256的输入和输出值。八位字节是十六进制编码的,为了可读性插入了空格。以下测试向量可用于验证PBKDF2-HMAC-SHA-256[RFC2898]功能。密码和salt字符串作为ASCII[RFC20]八位字节序列传递。

PBKDF2-HMAC-SHA-256 (P="passwd", S="salt", c=1, dkLen=64) = 55 ac 04 6e 56 e3 08 9f ec 16 91 c2 25 44 b6 05 f9 41 85 21 6d de 04 65 e6 8b 9d 57 c2 0d ac bc 49 ca 9c cc f1 79 b6 45 99 16 64 b3 9d 77 ef 31 7c 71 b8 45 b1 e3 0b d5 09 11 20 41 d3 a1 97 83

PBKDF2-HMAC-SHA-256(P=“passwd”,S=“salt”,c=1,dkLen=64)=55 ac 04 6e 56 e3 08 9f ec 16 91 c2 25 44 b6 05 f9 41 85 21 6d de 04 65 e6 8b 9d 57 c2 0d ac bc 49 ca 9c cc f1 79 b6 45 99 16 64 b3 9d 77 ef 31 7c 71 b8 45 b1 e3 0b d5 09 11 20 41 d3 a1 97 83

PBKDF2-HMAC-SHA-256 (P="Password", S="NaCl", c=80000, dkLen=64) = 4d dc d8 f6 0b 98 be 21 83 0c ee 5e f2 27 01 f9 64 1a 44 18 d0 4c 04 14 ae ff 08 87 6b 34 ab 56 a1 d4 25 a1 22 58 33 54 9a db 84 1b 51 c9 b3 17 6a 27 2b de bb a1 d0 78 47 8f 62 b3 97 f3 3c 8d

PBKDF2-HMAC-SHA-256(P=“Password”,S=“NaCl”,c=80000,dkLen=64)=4d dc d8 f6 0b 98 be 21 83 0c ee 5e f2 27 01 f9 64 1a 44 18 d0 4c 04 14 ae ff 08 87 6b 34 ab 56 a1 d4 25 a1 22 58 33 54 9a db 84 1b 51 c9 b3 17 6a 27 2b de bb a1 d0 78 47 8f 62 b3 97 f3 8d

12. Test Vectors for scrypt
12. scrypt的测试载体

For reference purposes, we provide the following test vectors for scrypt, where the password and salt strings are passed as sequences of ASCII [RFC20] octets.

出于参考目的,我们为scrypt提供以下测试向量,其中密码和salt字符串作为ASCII[RFC20]八位字节序列传递。

The parameters to the scrypt function below are, in order, the password P (octet string), the salt S (octet string), the CPU/Memory cost parameter N, the block size parameter r, the parallelization parameter p, and the output size dkLen. The output is hex encoded and whitespace is inserted for readability.

下面scrypt函数的参数依次为密码P(八位字符串)、salt S(八位字符串)、CPU/内存开销参数N、块大小参数r、并行化参数P和输出大小dkLen。输出是十六进制编码的,为了可读性插入了空格。

scrypt (P="", S="", N=16, r=1, p=1, dklen=64) = 77 d6 57 62 38 65 7b 20 3b 19 ca 42 c1 8a 04 97 f1 6b 48 44 e3 07 4a e8 df df fa 3f ed e2 14 42 fc d0 06 9d ed 09 48 f8 32 6a 75 3a 0f c8 1f 17 e8 d3 e0 fb 2e 0d 36 28 cf 35 e2 0c 38 d1 89 06

scrypt(P=”,S=”,N=16,r=1,P=1,dklen=64)=77 d6 57 62 38 65 7b 20 3b 19 ca 42 c1 8a 04 97 f1 6b 48 44 e3 07 4a e8 df df FA3 F ed e2 14 42 fc d0 06 9d ed 09 48 f8 32 6a 75 3a 0f c8 1f 17 e8 d3 e0 fb 0d 36 28 cf 35 e2 0c 38 d1 89 06

scrypt (P="password", S="NaCl", N=1024, r=8, p=16, dkLen=64) = fd ba be 1c 9d 34 72 00 78 56 e7 19 0d 01 e9 fe 7c 6a d7 cb c8 23 78 30 e7 73 76 63 4b 37 31 62 2e af 30 d9 2e 22 a3 88 6f f1 09 27 9d 98 30 da c7 27 af b9 4a 83 ee 6d 83 60 cb df a2 cc 06 40

scrypt(P=“password”,S=“NaCl”,N=1024,r=8,P=16,dkLen=64)=fd ba 9d 34 72 00 78 56 e7 19 0d 01 e9 fe 7c 6a d7 cb c8 23 78 30 e7 73 76 4b 37 31 62 2e af 30 d9 2e 22 a3 88 6f f1 09 27 9d 98 30 da c7 27 af b9 83 ee 6d 83 60 cb df a2 cc 06 40

scrypt (P="pleaseletmein", S="SodiumChloride", N=16384, r=8, p=1, dkLen=64) = 70 23 bd cb 3a fd 73 48 46 1c 06 cd 81 fd 38 eb fd a8 fb ba 90 4f 8e 3e a9 b5 43 f6 54 5d a1 f2 d5 43 29 55 61 3f 0f cf 62 d4 97 05 24 2a 9a f9 e6 1e 85 dc 0d 65 1e 40 df cf 01 7b 45 57 58 87

scrypt(P=“pleaseletmein”,S=“氯化钠”,N=16384,r=8,P=1,dkLen=64)=70 23 bd cb 3a fd 73 48 46 1c 06 cd 81 fd 38 eb fd a8 fb ba 90 4f 8e 3e a9 b5 43 f6 54 5d a1 f2 d5 43 29 55 6F 0f cf 62 d4 97 05 24 2a f9 e6 1e 85 dc 0d 65 1e 40 cf 01 7b 45 58 87

scrypt (P="pleaseletmein", S="SodiumChloride", N=1048576, r=8, p=1, dkLen=64) = 21 01 cb 9b 6a 51 1a ae ad db be 09 cf 70 f8 81 ec 56 8d 57 4a 2f fd 4d ab e5 ee 98 20 ad aa 47 8e 56 fd 8f 4b a5 d0 9f fa 1c 6d 92 7c 40 f4 c3 37 30 40 49 e8 a9 52 fb cb f4 5c 6f a7 7a 41 a4

scrypt(P=“pleaseletmein”,S=“氯化钠”,N=1048576,r=8,P=1,dkLen=64)=21 01 cb 9b 6a 51 ae ad db 09 cf 70 f8 81 ec 56 8d 57 4a 2f fd 4d ab e5 ee 98 20 ad aa 47 8e 56 fd 8f 4b a5 d0 9f fa 1c 6d 92 7c 40 f4 c3 37 40 49 e8 a9 52 fb cb f4 5c 6f a7 41 a4

13. Test Vectors for PKCS#8
13. PKCS的测试向量#8

PKCS#8 [RFC5208] and Asymmetric Key Packages [RFC5958] encode encrypted private-keys. Using PBES2 with scrypt as the KDF, the following illustrates an example of a PKCS#8-encoded private-key. The password is "Rabbit" (without the quotes) with N=1048576, r=8, and p=1. The salt is "Mouse" and the encryption algorithm used is aes256-CBC. The derived key is: E2 77 EA 2C AC B2 3E DA-FC 03 9D 22 9B 79 DC 13 EC ED B6 01 D9 9B 18 2A-9F ED BA 1E 2B FB 4F 58.

PKCS#8[RFC5208]和非对称密钥包[RFC5958]对加密私钥进行编码。使用带有scrypt的PBES2作为KDF,下面演示了PKCS#8编码私钥的示例。密码为“Rabbit”(不带引号),N=1048576,r=8,p=1。salt是“鼠标”,使用的加密算法是aes256 CBC。衍生密钥为:E2 77 EA 2C AC B2 3E DA-FC 03 9D 22 9B 79 DC 13 EC ED B6 01 D9 9B 18 2A-9F ED BA 1E 2B FB 4F 58。

   -----BEGIN ENCRYPTED PRIVATE KEY-----
   MIHiME0GCSqGSIb3DQEFDTBAMB8GCSsGAQQB2kcECzASBAVNb3VzZQIDEAAAAgEI
   AgEBMB0GCWCGSAFlAwQBKgQQyYmguHMsOwzGMPoyObk/JgSBkJb47EWd5iAqJlyy
   +ni5ftd6gZgOPaLQClL7mEZc2KQay0VhjZm/7MbBUNbqOAXNM6OGebXxVp6sHUAL
   iBGY/Dls7B1TsWeGObE0sS1MXEpuREuloZjcsNVcNXWPlLdZtkSH6uwWzR0PyG/Z
   +ZXfNodZtd/voKlvLOw5B3opGIFaLkbtLZQwMiGtl42AS89lZg==
   -----END ENCRYPTED PRIVATE KEY-----
        
   -----BEGIN ENCRYPTED PRIVATE KEY-----
   MIHiME0GCSqGSIb3DQEFDTBAMB8GCSsGAQQB2kcECzASBAVNb3VzZQIDEAAAAgEI
   AgEBMB0GCWCGSAFlAwQBKgQQyYmguHMsOwzGMPoyObk/JgSBkJb47EWd5iAqJlyy
   +ni5ftd6gZgOPaLQClL7mEZc2KQay0VhjZm/7MbBUNbqOAXNM6OGebXxVp6sHUAL
   iBGY/Dls7B1TsWeGObE0sS1MXEpuREuloZjcsNVcNXWPlLdZtkSH6uwWzR0PyG/Z
   +ZXfNodZtd/voKlvLOw5B3opGIFaLkbtLZQwMiGtl42AS89lZg==
   -----END ENCRYPTED PRIVATE KEY-----
        
14. Security Considerations
14. 安全考虑

This document specifies a cryptographic algorithm, and there is always a risk that someone will find a weakness in it. By following the cryptographic research area, you may learn of publications relevant to scrypt.

本文档指定了一种加密算法,总有人会发现其中的弱点。通过学习密码研究领域,您可能会了解到与scrypt相关的出版物。

ROMix has been proven sequential memory-hard under the random oracle model for the hash function. The security of scrypt relies on the assumption that BlockMix with Salsa20/8 Core does not exhibit any "shortcuts" that would allow it to be iterated more easily than a random oracle. For other claims about the security properties, see [SCRYPT].

ROMix已被证明在随机oracle模型下的哈希函数顺序内存硬。scrypt的安全性依赖于这样一种假设,即具有Salsa20/8核心的BlockMix不会显示任何“快捷方式”,从而使其比随机oracle更容易进行迭代。有关安全属性的其他声明,请参阅[SCRYPT]。

Passwords and other sensitive data, such as intermediate values, may continue to be stored in memory, core dumps, swap areas, etc., for a long time after the implementation has processed them. This makes attacks on the implementation easier. Thus, implementation should consider storing sensitive data in protected memory areas. How to achieve this is system dependent.

密码和其他敏感数据(如中间值)可能会在实现处理后的很长一段时间内继续存储在内存、核心转储、交换区等中。这使得对实现的攻击更容易。因此,实现应该考虑将敏感数据存储在受保护的存储区域中。如何实现这一点取决于系统。

By nature and depending on parameters, running the scrypt algorithm may require large amounts of memory. Systems should protect against a denial-of-service attack resulting from attackers presenting unreasonably large parameters.

根据性质和参数,运行scrypt算法可能需要大量内存。系统应防止因攻击者提供不合理的大参数而导致的拒绝服务攻击。

Poor parameter choices can be harmful for security; for example, if you tune the parameters so that memory use is reduced to small amounts that will affect the properties of the algorithm.

糟糕的参数选择可能对安全性有害;例如,如果您调整参数,以便将内存使用减少到会影响算法属性的少量。

15. References
15. 工具书类
15.1. Normative References
15.1. 规范性引用文件

[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, DOI 10.17487/RFC2898, September 2000, <http://www.rfc-editor.org/info/rfc2898>.

[RFC2898]Kaliski,B.,“PKCS#5:基于密码的加密规范2.0版”,RFC 2898,DOI 10.17487/RFC2898,2000年9月<http://www.rfc-editor.org/info/rfc2898>.

[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, <http://www.rfc-editor.org/info/rfc6234>.

[RFC6234]Eastlake 3rd,D.和T.Hansen,“美国安全哈希算法(基于SHA和SHA的HMAC和HKDF)”,RFC 6234,DOI 10.17487/RFC6234,2011年5月<http://www.rfc-editor.org/info/rfc6234>.

15.2. Informative References
15.2. 资料性引用

[BCRYPT] Provos, N. and D. Mazieres, "A Future-Adaptable Password Scheme", USENIX 1999, June 1999, <https://www.usenix.org/legacy/event/usenix99/provos/ provos.pdf>.

[BCRYPT]Provos,N.和D.Mazieres,“未来可适应性密码方案”,USENIX 1999,1999年6月<https://www.usenix.org/legacy/event/usenix99/provos/ provos.pdf>。

[NTLM] Microsoft, "[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol", 2015, <https://msdn.microsoft.com/en-us/library/cc236621.aspx>.

[NTLM]微软,[MS-NLMP]:NT LAN Manager(NTLM)认证协议,2015年<https://msdn.microsoft.com/en-us/library/cc236621.aspx>.

[RFC20] Cerf, V., "ASCII format for network interchange", STD 80, RFC 20, DOI 10.17487/RFC0020, October 1969, <http://www.rfc-editor.org/info/rfc20>.

[RFC20]Cerf,V.,“网络交换的ASCII格式”,STD 80,RFC 20,DOI 10.17487/RFC0020,1969年10月<http://www.rfc-editor.org/info/rfc20>.

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, <http://www.rfc-editor.org/info/rfc4086>.

[RFC4086]Eastlake 3rd,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 4086,DOI 10.17487/RFC4086,2005年6月<http://www.rfc-editor.org/info/rfc4086>.

[RFC5208] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2", RFC 5208, DOI 10.17487/RFC5208, May 2008, <http://www.rfc-editor.org/info/rfc5208>.

[RFC5208]Kaliski,B,“公钥密码标准(PKCS)#8:私钥信息语法规范版本1.2”,RFC 5208,DOI 10.17487/RFC5208,2008年5月<http://www.rfc-editor.org/info/rfc5208>.

[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI 10.17487/RFC5958, August 2010, <http://www.rfc-editor.org/info/rfc5958>.

[RFC5958]Turner,S.,“非对称密钥包”,RFC 5958,DOI 10.17487/RFC5958,2010年8月<http://www.rfc-editor.org/info/rfc5958>.

[SALSA20CORE] Bernstein, D., "The Salsa20 Core", March 2005, <http://cr.yp.to/salsa20.html>.

[SALSA20CORE]Bernstein,D.,“Salsa20 Core”,2005年3月<http://cr.yp.to/salsa20.html>.

[SALSA20SPEC] Bernstein, D., "Salsa20 specification", April 2005, <http://cr.yp.to/snuffle/spec.pdf>.

[SALSA20SPEC]Bernstein,D.,“Salsa20规范”,2005年4月<http://cr.yp.to/snuffle/spec.pdf>.

[SCRYPT] Percival, C., "STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS", BSDCan'09, May 2009, <http://www.tarsnap.com/scrypt/scrypt.pdf>.

[SCRYPT]Percival,C.,“通过顺序记忆硬函数进行更强的密钥推导”,BSDCan'09,2009年5月<http://www.tarsnap.com/scrypt/scrypt.pdf>.

[SHA2CRYPT] Drepper, U., "Unix crypt using SHA-256 and SHA-512", April 2008, <http://www.akkadia.org/drepper/SHA-crypt.txt>.

[SHA2CRYPT]Drepper,U.,“使用SHA-256和SHA-512的Unix加密”,2008年4月<http://www.akkadia.org/drepper/SHA-crypt.txt>.

Acknowledgements

致谢

Text in this document was borrowed from [SCRYPT] and [RFC2898]. The PKCS#8 test vector was provided by Stephen N. Henson.

本文件中的文本借用自[SCRYPT]和[RFC2898]。PKCS#8测试载体由Stephen N.Henson提供。

Feedback on this document was received from Dmitry Chestnykh, Alexander Klink, Rob Kendrick, Royce Williams, Ted Rolle, Jr., Eitan Adler, Stephen Farrel, Nikos Mavrogiannopoulos, and Paul Kyzivat.

收到了来自Dmitry Chestnykh、Alexander Kling、Rob Kendrick、Royce Williams、Ted Rolle、Jr.Eitan Adler、Stephen Farrel、Nikos Mavrogiannopoulos和Paul Kyzivat对本文件的反馈。

Authors' Addresses

作者地址

Colin Percival Tarsnap

科林·珀西瓦尔·塔斯纳

   Email: cperciva@tarsnap.com
        
   Email: cperciva@tarsnap.com
        

Simon Josefsson SJD AB

西蒙·约瑟夫森SJD AB

   Email: simon@josefsson.org
   URI:   http://josefsson.org/
        
   Email: simon@josefsson.org
   URI:   http://josefsson.org/