Exploring Password-Based Key Derivation Systems: scrypt and bcrypt

In this article, I discuss the concepts of password-based key derivation and explore two popular systems, scrypt and bcrypt. I provide insights into their implementation and their effectiveness in protecting passwords. Additionally, I point to relevant resources for further understanding and discussion.

Introduction

Recently, I came across a question regarding the creation of unscalable conditions to brute force passwords. The question mentioned a system called scrypt, which claims to add fixed time/space complexity requirements into password-based key derivation. The system’s website states that a five-character password using scrypt is stronger than a ten-character password using openssl. This statement intrigued me, and I wanted to learn more about scrypt and other similar systems in the field.

Password-Based Key Derivation and Complexity Requirements

To understand scrypt and similar systems, it is essential to grasp the concept of password-based key derivation and the role of complexity requirements. Password-based key derivation involves transforming a password into a cryptographic key. This transformation should be computationally expensive to hinder potential attackers from easily brute-forcing passwords. Complexity requirements, such as fixed time/space complexity, can be added to the key derivation process to further increase the computational cost of cracking passwords.

The Power of scrypt

While scrypt claims to provide significant password strength even with shorter passwords, it is crucial to evaluate its implementation and effectiveness. Unfortunately, I have not come across any peer-reviewed work on scrypt in the crypto or infosec circles. However, I came across a recommendation for bcrypt, another system based on key stretching, which has gained recognition among security experts. Bcrypt has RFCs, NIST-suggested algorithms, and papers published as references dating back to 1978.

Further Research and Discussion

If you are interested in delving deeper into password-based key derivation systems and their implementation, I recommend reading the accepted answer in a related question on our security-focused community. The answer, provided by a resident cryptographer, sheds light on bcrypt and key stretching. Additionally, you can explore our sister site, crypto.stackexchange.com, where algorithm internals are discussed in detail.

By exploring these resources and understanding the concepts of password-based key derivation and complexity requirements, you can gain a better understanding of systems like scrypt and bcrypt and their role in protecting passwords from brute-force attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *