(Very) Basic Intro to the Scrypt Hash

The post (Very) Basic Intro to the Scrypt Hash appeared first on Qvault.

Scrypt is a slow-by-design hash function or more accurately, a KDF function. Its purpose is to take some input data, and create a fingerprint of that data, but to do it very slowly. A common use-case is to take a password and create an n-bit private key, which is much longer and more secure.

For example, let’s pretend your password is password1234. By using Scrypt, we can extend that deterministically into a 256-bit key:

password1234 ->
AwEEDA4HCwQFAA8DAwwHDQwPDwUOBwoOCQACAgUJBQ0JAAYNBAMCDQ4JCQgLDwcGDQMDDgMKAQsNBAkLAwsACA==

That long 256-bit key can now be used as a private key to encrypt and decrypt data. For example, it could be the key in an AES-256 cipher.

Why not use the password to encrypt directly?

Most encryption algorithms, including AES-256, require that a key of sufficient length is used. By hashing the password, we can derive a longer, more secure, fixed-size key.

Furthermore, using a KDF like Scrypt provides additional benefits over a traditional hash function like SHA-2:

  • Computationally expensive and slow
  • Memory intensive (potentially several gigabytes of RAM is used to execute the hash)

Often times brute-force attackers will try to break encryption by guessing passwords over and over until they get it right. AES-256 and SHA-2 are fast, so an attacker would be able to guess many passwords per second. By using a slow hashing function like Scrypt to derive a key, we can force the attacker to waste more resources trying to break in.

Scrypt Step-by-Step

Scrypt can be visualized by some psuedo-code:

func Scrypt(
        passphrase, // string of characters to be hashed
        salt,  // random salt
        costFactor, // CPU/Memory cost, must be power of 2
        blockSizeFactor,
        parallelizationFactor, // (1..232-1 * hLen/MFlen)
        desiredKeyLen // Desired key length in bytes
) derivedKey {
        // we'll get to theis
}

Let’s go through the steps of converting those inputs into the desired derivedKey

1 – Define Blocksize

const blockSize = 128 * blockSizeFactor

2 – Generate Initial Salt

Scrypt uses PBKDF2 as a child key-derivation function. We use it to generate an initial salt. PBKDF2 has the following signature:

func PBKDF2(
        prf,
        password,
        salt,
        numIterations,
        desiredKeyLen
) derivedKey {}

We use it as follows:

const initialSalt = PBKDF2(HMAC-SHA256, passphrase, salt, 1, blockSize * parallelizationFactor)

3 – Mix Salt

Next, we mix the salt. We split initialSalt into splitSalt, which is a 2D array of bytes. Each sub-array contains 1024 bytes

splitSalt := [][1024]byte(initialSalt)
for i, block := range splitSalt {
        newBlock := roMix(block, costFactor)
        splitSalt[i] = newBlock
}

where roMix is:

func roMix(block, iterations){
        v := []
        x := block
        for i := 0; i < iterations; i++ {
                v[i] = x
                x = blockMix(x)
        }
        for i := 0; i < iterations; i++ {
                j := integerify(x) % iterations
                x = blockMix(x ^ v[j])
        }
        return x
}

Where integerify is defined by RFC-7914 and blockMix is:

func blockMix(block){
        r := len(block) / 128
        // split block into an array of 2r 64-byte chunks
        chunks := get2r64ByteChunks()

        x := chunks[len(chunks)-1]
        y := []
        for i := 0; i < len(chunks); i++{
                x = salsa20-8(x ^ chunks[i])
                y[i] = x
        }
        return [y[0], y[2], ...y[2r-2], y[1], y[3], ...y[2r-1]]
}

Where salsa20-8 is the 8-round version of the algorithm defined here.

4 – Finalize Salt

Now splitSalt has been mixed in such a computationally exhausting way that we will call it an expensiveSalt. Expensive salt will be a single array of bytes, so we need to concatenate all the subarrays in splitSalt.

expensiveSalt := append([], splitSalt...)

5 – Return Final KDF

return PBKDF2(HMAC-SHA256, passphrase, expensiveSalt, 1, desiredKeyLen)

The final pseudocode for our top level function is as follows:

func Scrypt(
        passphrase, // string of characters to be hashed
        salt,  // random salt
        costFactor, // CPU/Memory cost, must be power of 2
        blockSizeFactor,
        parallelizationFactor, // (1..232-1 * hLen/MFlen)
        desiredKeyLen // Desired key length in bytes
) derivedKey {
        const blockSize = 128 * blockSizeFactor

        const initialSalt = PBKDF2(HMAC-SHA256, passphrase, salt, 1, blockSize * parallelizationFactor)

        splitSalt := [][1024]byte(initialSalt)
        for i, block := range splitSalt {
                newBlock := roMix(block, costFactor)
                splitSalt[i] = newBlock
        }

        expensiveSalt := append([], splitSalt...)

        return PBKDF2(HMAC-SHA256, passphrase, expensiveSalt, 1, desiredKeyLen)
}

Or, if you prefer, the pseudocode as defined by Wikipedia:

Function scrypt
   Inputs:
      Passphrase:                Bytes    string of characters to be hashed
      Salt:                      Bytes    random salt
      CostFactor (N):            Integer  CPU/memory cost parameter - Must be a power of 2 (e.g. 1024)
      BlockSizeFactor (r):       Integer  blocksize parameter (8 is commonly used)
      ParallelizationFactor (p): Integer  Parallelization parameter. (1..232-1 * hLen/MFlen)
      DesiredKeyLen:             Integer  Desired key length in bytes
   Output:
      DerivedKey:                Bytes    array of bytes, DesiredKeyLen long

   Step 1. Generate expensive salt
   blockSize ← 128*BlockSizeFactor  //Length (in bytes) of the SMix mixing function output (e.g. 128*8 = 1024 bytes)

   Use PBKDF2 to generate initial 128*BlockSizeFactor*p bytes of data (e.g. 128*8*3 = 3072 bytes)
   Treat the result as an array of p elements, each entry being blocksize bytes (e.g. 3 elements, each 1024 bytes)
   [B0...Bp−1] ← PBKDF2HMAC-SHA256(Passphrase, Salt, 1, blockSize*ParallelizationFactor)

   Mix each block in B Costfactor times using ROMix function (each block can be mixed in parallel)
   for i ← 0 to p-1 do
      Bi ← ROMix(Bi, CostFactor)

   All the elements of B is our new "expensive" salt
   expensiveSalt ← B0∥B1∥B2∥ ... ∥Bp-1  //where ∥ is concatenation
 
   Step 2. Use PBKDF2 to generate the desired number of bytes, but using the expensive salt we just generated
   return PBKDF2HMAC-SHA256(Passphrase, expensiveSalt, 1, DesiredKeyLen);

Thanks For Reading!

Follow us on Twitter @q_vault if you have any questions or comments

Take game-like coding courses on Qvault Classroom

Subscribe to our Newsletter for more educational articles

Check out some of our popular posts!

The post (Very) Basic Intro to the Scrypt Hash appeared first on Qvault.



source https://qvault.io/2020/07/25/very-basic-intro-to-the-scrypt-hash/

Comments

Post a Comment

Popular posts from this blog

How To Hire Developers – 6 Tips From Someone You Probably Shouldn’t Listen To

Image
The post How To Hire Developers – 6 Tips From Someone You Probably Shouldn’t Listen To first appeared on Qvault . So you want to hire a developer? Or maybe you just want to know what is going through the heads of employers like myself. Either way, let’s dive right into what I think are best practices for hiring programmers. I’ve found my opinions to be quite controversial, but I do put them into practice in my own career and at Qvault . When you inevitably disagree with some of my points, feel free to @ me . The following process assumes essentially no HR to help (which I think is probably a good thing), and definitely no recruiters. I only have experience hiring direct to small(ish) companies. #1 – Throw Away Resumes With >2 Pages Like really. When I post a job I get so many candidates. I need a way to quickly filter out some bad apples. I don’t have time to read about your high-school lifeguarding job. Ideally, all resumes would be exactly 1 page . If you have hundreds of...
Read more

I Wrote Go-TinyDate, The Missing Golang Date Package

Image
time.Time makes dealing with dates and times in Go a breeze, and it even comes bundled in the standard library! However, a time.Time{} struct uses more than 24 bytes of memory under most conditions, and I’ve run into situations where I need to store millions of them in memory, but all I really needed was a UTC date! Go-TinyDate solves this with just 4 bytes of memory. Star the Github! https://github.com/lane-c-wagner/go-tinydate How? Let’s look at the time.Time struct: type Time struct { wall uint64 // 8 bytes ext int64 // b bytes loc *Location // 8 bytes if not nil, plus location memory } type Location struct { name string // unlimited zone []zone // unlimited tx []zoneTrans // unlimited cacheStart int64 // 8 bytes cacheEnd int64 // 8 bytes cacheZone *zone // 8 bytes if not nil, plus zone } type zone struct { name string // unlimited offset int // 4-8 bytes depending on OS ...
Read more

Best Practices For Writing Clean Interfaces in Go

Image
Interfaces allow us to treat different types as the same type when it comes to specific behaviors. They are central to a Go programmers toolbelt and are often used improperly by new Go developers… leading to hard to read and buggy code. Interfaces are named collections of method signatures, they are how we achieve a kind of polymorphism in Go. Click To Tweet Recap on Interfaces Let’s look to the standard library as an example of the way to write clean Go. The error interface is simple: type error interface { Error() string } By definition, the error interface encapsulates any type that has an Error() method defined on it, accepts no parameters, and returns a string . For example, let’s define a struct that represents a network problem: type networkProblem struct { message string code int } Then we define an Error() method: func (np networkProblem) Error() string { return fmt.Sprintf("network error! message: %s, code: %v", np.m...
Read more