Bouncy Castle scrypt implementation

2020-03-10 05:27发布

问题:

I'm currently implementing password hashing using scrypt. I have already found a nice scrypt implementation on GitHub. To my surprise I have also discovered a scrypt implementation in the Bouncy Castle library. The class is not documented, Wikipedia didn't mention Bouncy Castle as scrypt implementation provider and I had real trouble finding any code examples of someone using Bouncy Castles scrypt, so this looks somehow suspicious to me.

On the other hand if I had to choose between a GitHubs crypto implementation and Bouncy Castle, I would prefer Bouncy Castle.

So is the Bouncy Castles scrypt the 'real thing'? And can I use Bouncy Castles scrypt over the JCA provider API (or do I need to call it directly like here: AES-256 encryption workflow in scala with bouncy castle: salt and IV usage and transfer/storage)?


EDIT: Best answer I could get by now: https://www.bouncycastle.org/devmailarchive/msg13653.html

回答1:

So that people don't have to go to an external site for an answer:

  1. Make sure bouncy castle jars are on your build path
  2. Import SCrypt like so:

    import org.bouncycastle.crypto.generators.SCrypt;
    
  3. Use SCrypt like so:

    byte[] sCryptHash = SCrypt.generate(plaintext.getBytes(), salt.getBytes(), cpuDifficultyFactor, memoryDifficultyFactor, parallelismDifficultyFactor, outputLength);
    


回答2:

You can use the SCrypt class with its static method generate like this:

SCrypt.generate(passwordBytes, salt, costParam, blockSize, parallelization, passwordLength);

I can't really say what values you should use for costParam, blockSize or parallelization, the documentation doesn't say much to it. In our studies we used 8 for every of those.

Link to their docus: BCrypt - https://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/generators/BCrypt.html SCrypt - https://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/generators/SCrypt.html