问题
I'm currently implementing password hashing using scrypt. I have already found a nice scrypt implementation on GitHub. To my surprise I have also discovered a scrypt implementation in the Bouncy Castle library. The class is not documented, Wikipedia didn't mention Bouncy Castle as scrypt implementation provider and I had real trouble finding any code examples of someone using Bouncy Castles scrypt, so this looks somehow suspicious to me.
On the other hand if I had to choose between a GitHubs crypto implementation and Bouncy Castle, I would prefer Bouncy Castle.
So is the Bouncy Castles scrypt the 'real thing'? And can I use Bouncy Castles scrypt over the JCA provider API (or do I need to call it directly like here: AES-256 encryption workflow in scala with bouncy castle: salt and IV usage and transfer/storage)?
EDIT: Best answer I could get by now: https://www.bouncycastle.org/devmailarchive/msg13653.html
回答1:
So that people don't have to go to an external site for an answer:
- Make sure bouncy castle jars are on your build path
Import SCrypt like so:
import org.bouncycastle.crypto.generators.SCrypt;Use SCrypt like so:
byte[] sCryptHash = SCrypt.generate(plaintext.getBytes(), salt.getBytes(), cpuDifficultyFactor, memoryDifficultyFactor, parallelismDifficultyFactor, outputLength);
回答2:
You can use the SCrypt class with its static method generate like this:
SCrypt.generate(passwordBytes, salt, costParam, blockSize, parallelization, passwordLength);
I can't really say what values you should use for costParam, blockSize or parallelization, the documentation doesn't say much to it. In our studies we used 8 for every of those.
Link to their docus: BCrypt - https://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/generators/BCrypt.html SCrypt - https://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/generators/SCrypt.html
来源:https://stackoverflow.com/questions/22226867/bouncy-castle-scrypt-implementation