GitBucket
4.21.2
Toggle navigation
Snippets
Sign in
Files
Branches
1
Releases
Issues
2
Pull requests
Labels
Priorities
Milestones
Wiki
Forks
mark.george
/
BouncyScrypt
Browse code
Update README.md
master
1 parent
4af7416
commit
58c74c81bb4bece52f5b13c8d9842058f23ad289
Mark George
authored
on 2 Oct 2021
Patch
Showing
1 changed file
README.md
Ignore Space
Show notes
View
README.md
# BouncyScrypt A facade for salted password hashing with scrypt using Bouncy Castle. Generates output that is in a format similar to Modular Crypt Format (MCF). The output includes the following fields (separated by a `$` character): * The work factors that were used bit-packed into a single `Integer`. * The Base64 encoded generated salt. * The Base64 encoded derived hash. The result looks like: ``` $919553$mshp5K/vaKkdSzbRqqMTLwr76eSurBsTuVCIIDxuZEE6u093MHBk0Miaq3Qp/Vd7QdP/WeOglVg6W/omiNfC8g==$eV7FfnHnmwyCU8i4rAHQ6NO5RZp53/V1Wr3jsFCc1BqM6yvmGp6BfG7VFrmz21cFlzf4F/aPkgRuO5DRBHgIPQ==$ ``` The salts are generated using Java's SHA1PRNG secure psuedo-random number generator. The standard scrypt work factors are used: * N = 32768 * r = 8 * p = 1 Both the generated salt and the derived hash (`dkLen`) are 64 bytes. The generated output is 186 characters. # API ```java // generate a hash public static CharBuffer hash(CharSequence password) // check a password against a hash public static boolean check(CharSequence mcfHash, CharSequence password) ``` # Usage The API uses `CharSequence` objects as input and `CharBuffer` objects as output. This gives us a couple of choices: * Use `String` objects for simplicity. The downside of `String` objects is that they are immutable meaning that we can't overwrite the sensitive data when we are finished with it. * Use `char[]` and `CharBuffer` objects so that we can overwrite the data when we are finished with it. ## Simple mode (using Strings) Generating a hash: ```java String password = "testing123"; String hash = ScryptHelper.hash(password).toString(); ``` Checking a password against a hash: ```java boolean isValid = ScryptHelper.check(hash, password); ``` ## Paranoid mode (using char[] and CharBuffer objects) Generating a hash: ```java char[] password = "testing123".toCharArray(); CharBuffer cb = CharBuffer.wrap(password); CharBuffer hash = ScryptHelper.hash(cb); ``` Checking a hash against a password: ```java boolean isValid = ScryptHelper.check(hash, cb); ``` Overwriting the sensitive data once you have finished with it: ```java Arrays.fill(password, '0'); Arrays.fill(hash.array(), '0'); ``` # Disclaimer I am not a cryptographer. Use at your own risk. # License Copyright 2018, Mark George FreeBSD License (BSD-2-Clause) https://opensource.org/licenses/BSD-2-Clause
# BouncyScrypt A facade for salted password hashing with scrypt using Bouncy Castle. Generates output that is in a format similar to Modular Crypt Format (MCF). The output includes the following fields (separated by a `$` character): * The work factors that were used bit-packed into a single `Integer`. * The Base64 encoded generated salt. * The Base64 encoded derived hash. The result looks like: ``` $919553$mshp5K/vaKkdSzbRqqMTLwr76eSurBsTuVCIIDxuZEE6u093MHBk0Miaq3Qp/Vd7QdP/WeOglVg6W/omiNfC8g==$eV7FfnHnmwyCU8i4rAHQ6NO5RZp53/V1Wr3jsFCc1BqM6yvmGp6BfG7VFrmz21cFlzf4F/aPkgRuO5DRBHgIPQ==$ ``` The salts are generated using Java's SHA1PRNG secure psuedo-random number generator. The standard scrypt work factors are used: * N = 16384 * r = 8 * p = 1 Both the generated salt and the derived hash (`dkLen`) are 64 bytes. The generated output is 186 characters. # API ```java // generate a hash public static CharBuffer hash(CharSequence password) // check a password against a hash public static boolean check(CharSequence mcfHash, CharSequence password) ``` # Usage The API uses `CharSequence` objects as input and `CharBuffer` objects as output. This gives us a couple of choices: * Use `String` objects for simplicity. The downside of `String` objects is that they are immutable meaning that we can't overwrite the sensitive data when we are finished with it. * Use `char[]` and `CharBuffer` objects so that we can overwrite the data when we are finished with it. ## Simple mode (using Strings) Generating a hash: ```java String password = "testing123"; String hash = ScryptHelper.hash(password).toString(); ``` Checking a password against a hash: ```java boolean isValid = ScryptHelper.check(hash, password); ``` ## Paranoid mode (using char[] and CharBuffer objects) Generating a hash: ```java char[] password = "testing123".toCharArray(); CharBuffer cb = CharBuffer.wrap(password); CharBuffer hash = ScryptHelper.hash(cb); ``` Checking a hash against a password: ```java boolean isValid = ScryptHelper.check(hash, cb); ``` Overwriting the sensitive data once you have finished with it: ```java Arrays.fill(password, '0'); Arrays.fill(hash.array(), '0'); ``` # Disclaimer I am not a cryptographer. Use at your own risk. # License Copyright 2018, Mark George FreeBSD License (BSD-2-Clause) https://opensource.org/licenses/BSD-2-Clause
Show line notes below