Next: Implementation Up: A Future-Adaptable Password Scheme Previous: Eksblowfish AlgorithmThe problems present in traditional UNIX password hashes led naturallyto a new password scheme which we call bcrypt, referring to theBlowfish encryption algorithm. Bcrypt uses a 128-bit salt andencrypts a 192-bit magic value. It takes advantage of the expensivekey setup in eksblowfish.
The bcrypt algorithm runs in two phases, sketched inFigure3. In the first phase, EksBlowfishSetup iscalled with the cost, the salt, and the password, to initializeeksblowfish's state. Most of bcrypt's time is spent in theexpensive key schedule. Following that, the 192-bit value``OrpheanBeholderScryDoubt'' is encrypted 64 times usingeksblowfish in ECB mode with the state from the previousphase. The output is the cost and 128-bit salt concatenated with theresult of the encryption loop.
 |
In Section3, we derived that an 
-securepassword function should fulfill several important criteria: secondpreimage-resistance, a salt space large enough to defeatprecomputation attacks, and an adaptable cost. We believe thatBcrypt achieves all three properties, and that it can be-secure with useful values of for years to come.Though we cannot formally prove bcrypt -secure, anyflaw would likely deal a serious blow to the well-studied blowfishencryption algorithm.
Next: Implementation Up: A Future-Adaptable Password Scheme Previous: Eksblowfish AlgorithmNiels Provos and David Mazieres
4/28/1999
