|
Bouncy Castle Cryptography Library 1.85 | |||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Objectorg.bouncycastle.crypto.generators.BCrypt
Core of password hashing scheme Bcrypt, designed by Niels Provos and David Mazières, corresponds to the C reference implementation.
This implementation does not correspondent to the 1999 published paper "A Future-Adaptable Password Scheme" of Niels Provos and David Mazières, see: https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html. In contrast to the paper, the order of key setup and salt setup is reversed: state <- ExpandKey(state, 0, key) state <- ExpandKey(state, 0, salt) This corresponds to the OpenBSD reference implementation of Bcrypt.
Note: There is no successful cryptanalysis (status 2015), but the amount of memory and the band width of Bcrypt may be insufficient to effectively prevent attacks with custom hardware like FPGAs, ASICs
This implementation uses some parts of Bouncy Castle's BlowfishEngine.
| Method Summary | |
static byte[] |
generate(byte[] pwInput,
byte[] salt,
int cost)
Deprecated. as a direct replacement use generate(byte[], byte[], int, boolean) so
the terminator choice is explicit at the call site — pass to
have the spec-required 0x00 terminator appended (equivalent to feeding
through passwordToByteArray(char[])),
when the supplied bytes already include it. For general password hashing prefer
OpenBSDBCrypt, which handles termination, salt formatting and the
modular crypt output line; this raw primitive remains available for test-vector
validation and interop with implementations that emit the 24-byte hash directly
(issue #1741). |
static byte[] |
generate(byte[] pwInput,
byte[] salt,
int cost,
boolean addTerminator)
Calculates the bcrypt hash of an input, optionally appending the bcrypt password terminator (a single 0x00 byte) to before the EksBlowfishSetup password schedule. |
static byte[] |
passwordToByteArray(char[] password)
Converts a character password to bytes incorporating the required trailing zero byte. |
static byte[] |
pbkdfGenerate(byte[] password,
byte[] salt,
int rounds,
int outputLength)
The OpenSSH password-based key derivation function, as used to protect the private key format (kdfname ). |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Method Detail |
public static byte[] passwordToByteArray(char[] password)
password - the password to be encoded.
public static byte[] generate(byte[] pwInput,
byte[] salt,
int cost)
generate(byte[], byte[], int, boolean) so
the terminator choice is explicit at the call site — pass to
have the spec-required 0x00 terminator appended (equivalent to feeding
through passwordToByteArray(char[])),
when the supplied bytes already include it. For general password hashing prefer
OpenBSDBCrypt, which handles termination, salt formatting and the
modular crypt output line; this raw primitive remains available for test-vector
validation and interop with implementations that emit the 24-byte hash directly
(issue #1741).
passwordToByteArray(char[])).
Without a trailing 0x00 byte, distinct passwords whose encodings differ only by repetition
(e.g. and ) collide and produce identical hashes.
This implements the raw bcrypt function as defined in the bcrypt specification, not
the crypt encoded version implemented in OpenBSD, see OpenBSDBCrypt for that.
pwInput - the password bytes (up to 72 bytes) to use for this invocation.salt - the 128 bit salt to use for this invocation.cost - the bcrypt cost parameter. The cost of the bcrypt function grows as
2^cost. Legal values are 4..31 inclusive.
public static byte[] generate(byte[] pwInput,
byte[] salt,
int cost,
boolean addTerminator)
OpenBSDBCrypt rather than this primitive;
this entry point is intended for callers driving the raw bcrypt function against published
test vectors or interoperating with another implementation that produces the 24-byte raw
hash directly.
Setting is equivalent to feeding bytes produced by
passwordToByteArray(char[]) and is the right choice for any caller that has not
already terminated the input. Setting it passes through
unchanged — appropriate when the supplied bytes are already terminated, or when
reproducing a test vector that fixes the exact input.
When is exactly {@value} (the bcrypt 72-byte input limit), is ignored and the input is used as-is — there is no room for an additional byte without exceeding the limit. Two 72-byte inputs sharing a common prefix may therefore collide in the same way an unterminated shorter input does.
pwInput - the password bytes (up to 72 bytes) to use for this invocation.salt - the 128 bit salt to use for this invocation.cost - the bcrypt cost parameter. The cost of the bcrypt function grows as
2^cost. Legal values are 4..31 inclusive.addTerminator - whether to append the bcrypt password-terminator byte (0x00) to
before the password schedule. Ignored when
is exactly 72.
public static byte[] pbkdfGenerate(byte[] password,
byte[] salt,
int rounds,
int outputLength)
generate(byte[], byte[], int, boolean) / OpenBSDBCrypt.
password - the passphrase bytes (the OpenSSH client uses the raw UTF-8 bytes, with
no trailing NUL).salt - the salt taken from the key's kdfoptions; must be non-empty.rounds - the iteration count from the key's kdfoptions; must be at least 1.outputLength - the number of key bytes to derive (the cipher key length plus IV length);
must be between 1 and 1024 inclusive.
|
Bouncy Castle Cryptography Library 1.85 | |||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||