1

I'm writing an application in Java using Bouncy Castle but I still would like to write my code as portable as possible, going through the Java Cryptography Architecture. Is it possible to access the SCrypt algorithm through the JCA?

In the list of algorithms for SecretKeyFactory it's not present, it only has:

  • AES
  • ARCFOUR
  • DES
  • DESede
  • PBEWithAnd
  • PBEWithAnd
    • PBEWithMD5AndDES (PKCS5, v 1.5),
    • PBEWithHmacSHA256AndAES_128 (PKCS5, v 2.0)
  • PBKDF2WithHmacSHA1

And actually, the document doesn't mention Scrypt anywhere.

Pablo Fernandez
  • 279,434
  • 135
  • 377
  • 622
  • Well those wouldn't list it of course. Those are the standard ones that come with the default implementation. If you're using a different provider like BC, they will be listed in *their* documentation. However, considering that scrypt is a bit more complex than most older hash algorithms, it may be that you can't write JCA only code and just add BC as a provider. So you'll be making the code directly dependent on BC packages. – Kayaman Aug 31 '17 at 12:05
  • For password derivation and password verifiers you can use `PBKDF2`, this is the NIST recommendation and a standard. Some implementations of `PBKDF21` are named `Rfc2898DeriveBytes` after the RFC number. – zaph Aug 31 '17 at 12:13
  • @zaph: my understanding is that Scrypt and PBKDF2 have similar strength to CPU attacks and Scrypt, due to being memory intensive, can also withstand GPU attacks much better than PBKDF2; so, why would I chose PBKDF2 over Scrypt? – Pablo Fernandez Aug 31 '17 at 12:14
  • 1
    PBKDF2 is an approved standard and available across most platforms. There is minimal security difference for the vast majority of usages. – zaph Aug 31 '17 at 12:21
  • 1
    If you have create your threat model (in writing) and determined that the difference between PBDKF2 and Scrypt is the highest vulnerability then Scrypt is the correct choice. There are many other encryption security issues that may pose security vulnerabilities, such as lack of encrypt then MAC, returning padding errors, not using a random IV on each encryption. – zaph Aug 31 '17 at 12:49
  • Furthermore, according to [this](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html), any provider of a SecretKeyFactory must be in a signed (by Oracle or IBM) jar. That is probably too high a bar for you to implement your own provider containing a SecretKeyFactory for scrypt. – President James K. Polk Aug 31 '17 at 14:46

1 Answers1

3

Have you seen the other thread here on StackOverflow? That points to a mail of the BS mailing list where this is discussed.

Money Quote:

Scrypt isn’t exposed by the BC JCE provider

So if it isn't listed now in the list of available ciphers, it seems that this point is still the case.

I checked the available ciphers available on Java 8 with BC 1.54.0 and these are the available secret key factory algorithms (excluding aliases):

SecretKeyFactory.DES
SecretKeyFactory.DESEDE
SecretKeyFactory.DESede
SecretKeyFactory.PBEWITHHMACGOST3411
SecretKeyFactory.PBEWITHHMACRIPEMD160
SecretKeyFactory.PBEWITHHMACSHA1
SecretKeyFactory.PBEWITHHMACSHA256
SecretKeyFactory.PBEWITHHMACTIGER
SecretKeyFactory.PBEWITHMD2ANDDES
SecretKeyFactory.PBEWITHMD2ANDRC2
SecretKeyFactory.PBEWITHMD5AND128BITAES-CBC-OPENSSL
SecretKeyFactory.PBEWITHMD5AND192BITAES-CBC-OPENSSL
SecretKeyFactory.PBEWITHMD5AND256BITAES-CBC-OPENSSL
SecretKeyFactory.PBEWITHMD5ANDDES
SecretKeyFactory.PBEWITHMD5ANDRC2
SecretKeyFactory.PBEWITHSHA1ANDDES
SecretKeyFactory.PBEWITHSHA1ANDRC2
SecretKeyFactory.PBEWITHSHA256AND128BITAES-CBC-BC
SecretKeyFactory.PBEWITHSHA256AND192BITAES-CBC-BC
SecretKeyFactory.PBEWITHSHA256AND256BITAES-CBC-BC
SecretKeyFactory.PBEWITHSHAAND128BITAES-CBC-BC
SecretKeyFactory.PBEWITHSHAAND128BITRC2-CBC
SecretKeyFactory.PBEWITHSHAAND128BITRC4
SecretKeyFactory.PBEWITHSHAAND192BITAES-CBC-BC
SecretKeyFactory.PBEWITHSHAAND2-KEYTRIPLEDES-CBC
SecretKeyFactory.PBEWITHSHAAND256BITAES-CBC-BC
SecretKeyFactory.PBEWITHSHAAND3-KEYTRIPLEDES-CBC
SecretKeyFactory.PBEWITHSHAAND40BITRC2-CBC
SecretKeyFactory.PBEWITHSHAAND40BITRC4
SecretKeyFactory.PBEWITHSHAANDIDEA-CBC
SecretKeyFactory.PBEWITHSHAANDTWOFISH-CBC
SecretKeyFactory.PBEWithHmacSHA1AndAES_128
SecretKeyFactory.PBEWithHmacSHA1AndAES_256
SecretKeyFactory.PBEWithHmacSHA224AndAES_128
SecretKeyFactory.PBEWithHmacSHA224AndAES_256
SecretKeyFactory.PBEWithHmacSHA256AndAES_128
SecretKeyFactory.PBEWithHmacSHA256AndAES_256
SecretKeyFactory.PBEWithHmacSHA384AndAES_128
SecretKeyFactory.PBEWithHmacSHA384AndAES_256
SecretKeyFactory.PBEWithHmacSHA512AndAES_128
SecretKeyFactory.PBEWithHmacSHA512AndAES_256
SecretKeyFactory.PBEWithMD5AndDES
SecretKeyFactory.PBEWithMD5AndTripleDES
SecretKeyFactory.PBEWithSHA1AndDESede
SecretKeyFactory.PBEWithSHA1AndRC2_128
SecretKeyFactory.PBEWithSHA1AndRC2_40
SecretKeyFactory.PBEWithSHA1AndRC4_128
SecretKeyFactory.PBEWithSHA1AndRC4_40
SecretKeyFactory.PBKDF-OPENSSL SecretKeyFactory.PBKDF2
SecretKeyFactory.PBKDF2WITHASCII
SecretKeyFactory.PBKDF2WithHmacSHA1
SecretKeyFactory.PBKDF2WithHmacSHA1And8BIT
SecretKeyFactory.PBKDF2WithHmacSHA224
SecretKeyFactory.PBKDF2WithHmacSHA256
SecretKeyFactory.PBKDF2WithHmacSHA384
SecretKeyFactory.PBKDF2WithHmacSHA512

I also grepped through the other service types, no mention of scrypt there, either.

Lothar
  • 5,323
  • 1
  • 11
  • 27