README
¶
scryptauth
scryptauth is a GO library for secure password handling using scrypt
It uses sha256_hmac(scrypt(user_password, salt), server_key) to protect against
both dictionary attacks and DB leaks.
scryptauth additionally provides encode/decode routines using base64 to create strings for storing into a DB.
Usage
Choose your scrypt pw_cost factor (make bench helps you on this).
Typical values used in production are between 11 and 14 which means a login
will take at least 15 to 130ms, and your service will be able to handle only
66 and 8 logins per second with 100% load on a single CPU (keep that in mind!).
Documentation
http://godoc.org/github.com/gebi/scryptauth
Author
Michael Gebetsroither (michael \x40 mgeb \x2e org)
License
BSD 2 clause
Documentation
¶
Overview ¶
scryptauth is a GO library for secure password handling using scrypt
It uses sha256_hmac(scrypt(user_password, salt), server_key) to protect against both dictionary attacks and DB leaks.
scryptauth additionally provides encode/decode routines using base64 to create strings for storing into a DB.
Copyright: Michael Gebetsroither 2012 (michael \x40 mgeb \x2e org)
License: BSD 2 clause
Index ¶
Examples ¶
Constants ¶
const ( // Key length and salt length are 32 bytes (256 bits) KEYLENGTH = 32 // scrypt default parameters SCRYPT_CONST_R = 8 SCRYPT_CONST_P = 1 )
Variables ¶
This section is empty.
Functions ¶
func DecodeBase64 ¶
Parses "pw_cost:base64(hash):base64(salt)"
Example ¶
Sample function to verify stored hash from DB
db_string := "12:3Tnrsg5-QaM7OsyRvqcBv9qS-jqGxzRIXQqvbTUf894=:HrHzQ4S016BffZ2TmwLRYYiIggfSmkwKdEtd1Pk_b-I="
hmac_key := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") // PLEASE CHANGE THIS KEY FOR PRODUCTION USE
user_password := []byte("bar")
pwhash, err := New(12, hmac_key)
if err != nil {
fmt.Print(err)
return
}
pw_cost, hash, salt, err := DecodeBase64(db_string)
if err != nil {
fmt.Print(err)
return
}
ok, err := pwhash.Check(pw_cost, hash, user_password, salt)
if !ok {
fmt.Printf("Error wrong password for user (%s)", err)
return
}
fmt.Print("ok")
Output: ok
func EncodeBase64 ¶
Encodes into "pw_cost:base64(hash):base64(salt)"
Example ¶
Sample Function to generate new password hash for storing in DB
hmac_key := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") // PLEASE CHANGE THIS KEY FOR PRODUCTION USE
user_password := []byte("test123")
pwhash, err := New(12, hmac_key)
if err != nil {
fmt.Print(err)
return
}
hash, salt, err := pwhash.Gen(user_password)
if err != nil {
fmt.Print(err)
return
}
str := EncodeBase64(pwhash.PwCost, hash, salt)
fmt.Print(str)
Output:
Types ¶
type ScryptAuth ¶
type ScryptAuth struct {
HmacKey []byte // HMAC key used to secure scrypt hash
PwCost uint // PwCost parameter used to calculate N parameter of scrypt (1<<PwCost == N)
// scrypt parameter
R int
P int
}
func New ¶
func New(pw_cost uint, hmac_key []byte) (*ScryptAuth, error)
Initialise ScryptAuth struct
func (ScryptAuth) Check ¶
func (s ScryptAuth) Check(pw_cost uint, hash_ref, user_password, salt []byte) (chk bool, err error)
Check / Verify user_password against hash_ref/salt
func (ScryptAuth) Gen ¶
func (s ScryptAuth) Gen(user_password []byte) (hash, salt []byte, err error)
Generate hash_ref and create new salt from crypto.rand
Example ¶
Example function showing usage of generating hash of user_password
hmac_key := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") // PLEASE CHANGE THIS KEY FOR PRODUCTION USE
user_password := []byte("test123")
// Create new instace of scryptauth with strength factor 12 and hmac_key
pwhash, err := New(12, hmac_key)
if err != nil {
fmt.Print(err)
return
}
hash, salt, err := pwhash.Gen(user_password)
if err != nil {
fmt.Print(err)
return
}
fmt.Printf("hash=%x salt=%x\n", hash, salt)
Output:
Source Files