The scrypt key derivation function

One of the commonly requested features for Tarsnap is passphrase-protected key files. I started working on this in February, but soon discovered that the existing methods for passphrased-encrypted files were rather lacking -- at least based on my security guideline for tarsnap, i.e., "what if the NSA tried to attack this?".

I am speaking today at BSDCan'09 about my work on the scrypt key derivation function. In the context of hardware brute-force attacks, scrypt is thousands of times more secure than existing "best practice" solutions such as bcrypt and PBKDF2; in fact, under reasonable assumptions it is provably as strong as possible. In addition to the key derivation function itself, I have released a simple file encryption utility which is approximately 100 billion times more secure than openssl enc , due to OpenSSL using MD5 as a key derivation function.

The code I have written -- key derivation function and file encryption utility -- are now available from the scrypt page on the tarsnap web site, along with the 16-page paper I wrote defining and proving security properties of scrypt, and my conference slides. So far I have only built the scrypt code on FreeBSD; but I expect to port the code to other operating systems soon. Within a few weeks I expect to release a new version of the tarsnap client which uses scrypt to -- finally -- add support for password-protected key files.

In his famous "what you need to know about secure password schemes" blog post of September 2007, Thomas Ptacek concluded by saying that the correct choice of key derivation functions is bcrypt. He was right; but from today onwards, the correct choice is scrypt.

Disqus