词条 | Bcrypt |
释义 |
| name = bcrypt | image = | caption = | designers = Niels Provos, David Mazières | publish date = 1999 | series = | derived from = Blowfish (cipher) | derived to = | related to = | certification = | digest size = 184 bit | block size = | structure = | rounds = variable via cost parameter | cryptanalysis = }} bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999.[1] Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. The bcrypt function is the default password hash algorithm for OpenBSD[2] and other systems including some Linux distributions such as SUSE Linux.[3] There are implementations of bcrypt for C, C++, C#, Go,[4] Java,[5][6] JavaScript,[7] Elixir,[8] Perl, PHP, Python,[9] Ruby and other languages. BackgroundBlowfish is notable among block ciphers for its expensive key setup phase. It starts off with subkeys in a standard state, then uses this state to perform a block encryption using part of the key, and uses the result of that encryption (which is more accurate at hashing) to replace some of the subkeys. Then it uses this modified state to encrypt another part of the key, and uses the result to replace more of the subkeys. It proceeds in this fashion, using a progressively modified state to hash the key and replace bits of state, until all subkeys have been set. Provos and Mazières took advantage of this, and took it further. They developed a new key setup algorithm for Blowfish, dubbing the resulting cipher "Eksblowfish" ("expensive key schedule Blowfish"). The key setup begins with a modified form of the standard Blowfish key setup, in which both the salt and password are used to set all subkeys. There are then a number of rounds in which the standard Blowfish keying algorithm is applied, using alternatively the salt and the password as the key, each round starting with the subkey state from the previous round. In theory, this is no stronger than the standard Blowfish key schedule, but the number of rekeying rounds is configurable; this process can therefore be made arbitrarily slow, which helps deter brute-force attacks upon the hash or salt. DescriptionThe prefix "$2a$" or "$2b$" (or "$2y$") in a hash string in a shadow password file indicates that hash string is a bcrypt hash in modular crypt format.[10] The rest of the hash string includes the cost parameter, a 128-bit salt (Radix-64 encoded as 22 characters), and 184 bits of the resulting hash value (Radix-64 encoded as 31 characters)[11]. The Radix-64 encoding uses the unix/crypt alphabet, and is not 'standard' Base-64[12][13]. The cost parameter specifies a key expansion iteration count as a power of two, which is an input to the crypt algorithm. For example, the shadow password record Versioning history$2$ (1999)The original Bcrypt specification defined a prefix of
The original specification did not define how to handle non-ASCII character, nor how to handle a null terminator. The specification was revised to specify that when hashing strings:
With this change, the version was changed to In June 2011, a bug was discovered in crypt_blowfish, a PHP implementation of BCrypt. It was mis-handling characters with the 8th bit set.[16] They suggested that system administrators update their existing password database, replacing Nobody else, including canonical OpenBSD, adopted the idea of 2x/2y. This version marker change was limited to crypt_blowfish. $2b$ (February 2014)A bug was discovered in the OpenBSD implementation of bcrypt. They were storing the length of their strings in an unsigned char (i.e. 8-bit BCrypt was created for OpenBSD. When they had a bug in their library, they decided to bump the version number. AlgorithmThe bcrypt algorithm is the result of encrypting the text "OrpheanBeholderScryDoubt" 64 times using Blowfish. In bcrypt the usual Blowfish key setup function is replaced with an expensive key setup (EksBlowfishSetup) function: Function bcrypt Input:cost: Number (4..31) log2(Iterations). e.g. 12 ==> 212 = 4,096 iterations salt: array of Bytes (16 bytes) random salt password: array of Bytes (1..72 bytes) UTF-8 encoded passwordOutput: hash: array of Bytes (24 bytes)//Initialize Blowfish state with expensive key setup algorithm ''state'' EksBlowfishSetup(''cost'', ''salt'', ''password'')//Repeatedly encrypt the text "OrpheanBeholderScryDoubt" 64 times repeat (64) ''ctext'' EncryptECB(''state'', ''ctext'') //encrypt using standard Blowfish in ECB mode //24-byte ctext is resulting password hashreturn Concatenate(cost, salt, ctext) Expensive key setupThe bcrypt algorithm depends heavily on its "Eksblowfish" key setup algorithm, which runs as follows: Function EksBlowfishSetup Input:cost: Number (4..31) log2(Iterations). e.g. 12 ==> 212 = 4,096 iterations salt: array of Bytes (16 bytes) random salt password: array of Bytes (1..72 bytes) UTF-8 encoded passwordOutput: state: opaque BlowFish state structure ''state'' InitialState() ''state'' ExpandKey(''state'', ''salt'', ''password'') repeat (2cost) ''state'' ExpandKey(state, 0, password) ''state'' ExpandKey(state, 0, salt)return state InitialState works as in the original Blowfish algorithm, populating the P-array and S-box entries with the fractional part of in hexadecimal. Expand keyThe ExpandKey function does the following: Function ExpandKey(state, salt, password) Input:state: Opaque BlowFish state structure Internally contains P-array and S-box entries salt: array of Bytes (16 bytes) random salt password: array of Bytes (1..72 bytes) UTF-8 encoded passwordOutput: state: opaque BlowFish state structure//Mix password into the internal P-array of statefor n 1 to 18 do Pn Pn xor ''password''[32(n-1)..32n-1] //treat the password as cyclic//Encrypt state using the lower 8 bytes of salt, and store the 8 byte result in P1|P2 ''block'' Encrypt(''state'', ''salt''[0..63]) P1 ''block''[0..31] //lower 32-bits P2 ''block''[32..63] //upper 32-bits//Continue encrypting state with salt, and storing results in remaining P-arrayfor n 2 to 9 do ''block'' Encrypt(''state'', ''block'' '''xor''' ''salt''[64(n-1)..64n-1]) //encrypt using the current key schedule and treat the salt as cyclic P2n-1 ''block''[0..31] //lower 32-bits P2n ''block''[32..63] //upper 32-bits//Mix encrypted state into the internal S-boxes of statefor i 1 to 4 dofor n 0 to 127 do ''block'' Encrypt(''state'', ''block'' '''xor''' ''salt''[64(n-1)..64n-1]) //as above Si[2n] ''block''[0..31] //lower 32-bits Si[2n+1] ''block''[32..63] //upper 32-bitsreturn state Hence, User inputMany implementations of bcrypt truncate the password to the first 72 bytes. The mathematical algorithm itself requires initialization with 18 32-bit subkeys (equivalent to 72 octets/bytes). The original specification[1] of bcrypt does not mandate any one particular method for mapping text-based passwords from userland into numeric values for the algorithm. One brief comment in the text mentions, but does not mandate, the possibility of simply using the ASCII encoded value of a character string: "Finally, the key argument is a secret encryption key, which can be a user-chosen password of up to 56 bytes (including a terminating zero byte when the key is an ASCII string)." Note that the quote above mentions passwords "up to 56 bytes" even though the algorithm itself makes use of a 72 byte initial value. Although Provos and Mazières do not state the reason for the shorter restriction, they may have been motivated by the following statement from Bruce Schneier's original specification of Blowfish,[18] "The 448 [bit] limit on the key size ensures that the{{sic}} every bit of every subkey depends on every bit of the key." Implementations have varied in their approach of converting passwords into initial numeric values, including sometimes reducing the strength of passwords containing non-ASCII characters.[19] See also{{Portal|Cryptography|Free and open-source software}}
References1. ^1 {{cite journal | url = http://www.usenix.org/events/usenix99/provos/provos_html/node1.html | title = A Future-Adaptable Password Scheme | first = Niels | last = Provos |author2=Mazières, David | year = 1999 |author3=Talan Jason Sutton 2012 | journal = Proceedings of 1999 USENIX Annual Technical Conference | pages = 81–92}} {{Cryptography navbox | hash}}2. ^{{cite web|url=//cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/bcrypt.c|title= Commit of first work to repo|date=13 Feb 1997}} 3. ^{{cite web|url=https://www.suse.com/support/security/advisories/2011_35_blowfish.html |title=SUSE Security Announcement: (SUSE-SA:2011:035) |date=23 August 2011 |access-date=20 August 2015 |quote=SUSE's crypt() implementation supports the blowfish password hashing function (id $2a) and system logins by default also use this method. |deadurl=yes |archiveurl=https://web.archive.org/web/20160304094921/https://www.suse.com/support/security/advisories/2011_35_blowfish.html |archivedate=4 March 2016 |df= }} 4. ^{{cite web|url=https://godoc.org/golang.org/x/crypto/bcrypt|title=Package bcrypt|website=godoc.org}} 5. ^{{Cite web|url=http://www.mindrot.org/projects/jBCrypt/|title=jBCrypt - strong password hashing for Java|website=www.mindrot.org|language=en|access-date=2017-03-11}} 6. ^{{Cite web|url=https://github.com/patrickfav/bcrypt|title=bcrypt - A Java standalone implementation of the bcrypt password hash function|website=github.com|language=en|access-date=2018-07-19}} 7. ^{{cite web|url=https://www.npmjs.com/package/bcrypt|title=bcrypt|website=npm}} 8. ^{{cite web |last1=Whitlock |first1=David |title=Bcrypt Elixir: Bcrypt password hashing algorithm for Elixir. |url=https://github.com/riverrun/bcrypt_elixir |website=GitHub |publisher=riverrun}} 9. ^{{cite web|url=https://github.com/pyca/bcrypt/|title=bcrypt: Modern password hashing for your software and your servers|first=Donald|last=Stufft|publisher=|via=PyPI}} 10. ^passlib.[https://passlib.readthedocs.io/en/stable/modular_crypt_format.html "Modular Crypt Format"]. 11. ^passlib.[https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html "BCrypt"]. 12. ^{{Cite web|url=https://github.com/pyca/bcrypt/blob/master/src/_csrc/bcrypt.c#L179|title=Python bcrypt - Modern password hashing for your software and your servers|last=|first=|date=|website=|archive-url=|archive-date=|dead-url=|access-date=}} 13. ^{{Cite web|url=https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java#L19|title=Bouncy Castle Java Distribution - BCrypt implememntation|last=|first=|date=|website=|archive-url=|archive-date=|dead-url=|access-date=}} 14. ^{{cite web|url=https://passlib.readthedocs.io/en/stable/modular_crypt_format.html|title=Modular Crypt Format — Passlib v1.7.1 Documentation|website=passlib.readthedocs.io}} 15. ^1 http://undeadly.org/cgi?action=article&sid=20140224132743 16. ^{{cite web|url=http://seclists.org/oss-sec/2011/q2/632|title=oss-sec: CVE request: crypt_blowfish 8-bit character mishandling|first=Solar|last=Designer|website=seclists.org}} 17. ^{{cite web|url=http://marc.info/?l=openbsd-misc&m=139320023202696|title='bcrypt version changes' - MARC|website=marc.info}} 18. ^{{cite journal | url = https://www.schneier.com/paper-blowfish-fse.html | title = Fast Software Encryption, Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish) | first = Bruce | last = Schneier | publisher = Springer-Verlag | year = 1994 | journal = Cambridge Security Workshop Proceedings (December 1993) | pages = 191–204}} 19. ^{{cite web |url=http://www.mindrot.org/files/jBCrypt/internat.adv |date=1 February 2010 |title=jBCrypt security advisory}} And {{cite web |url=https://php.net/security/crypt_blowfish.php |title=Changes in CRYPT_BLOWFISH in PHP 5.3.7 |work=php.net}} 20. ^http://bcrypt.sourceforge.net bcrypt file encryption program homepage 21. ^http://bcrypt463065.android.informer.com/ 22. ^http://www.t2-project.org/packages/bcrypt.html 23. ^https://docs.oracle.com/cd/E51849_01/gg-winux/OGGLC/ogglc_licenses.htm 2 : Cryptography|Cryptographic software |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。