1

I have to use password-based encryption for dealing with metadata files in my application.

While reading, I came across three options: bcrypt, scrypt, and PBKDF2. I read something about them, but I found nothing convincing and satisfactory to help decide which one is best to use.

I would like to have an comparative analysis for these three technologies with respect to security

jonsca
  • 343
  • 1
  • 6
  • 21
madhvi
  • 11
  • 1

1 Answers1

1

Just to be clear, these algorithms are password hashing algorithms, that could be used for creating an encryption key. These are not encryption routines by themselves. If you are asking about encryption routines, (such as AES,) please edit your question.

If your question is about key derivation (so you can create a key to feed your encryption routine):

I asked a similar, if not duplicate question myself.

  • PBKDF2 is specifically designed for key derivation.
  • bcrypt can be used for this as well, though it was not necessarily designed for the key derivation (slight minus), but hashing (still works). It is newer (minus), but still sufficiently vetted (mostly removes the minus). It is less convenient to use GPUs on it (plus), due to the extra memory overhead. (if memory serves me right, I won't be corrected on this)
  • scrypt is newer, and considered promising, though not as well vetted as the other two. (a minus) I expect that this, like bcrypt, is designed for password hashing, but not necessarily for key derivation. If you use this, you may consider adding a more proven routine to the formula, as this is not a proven routine on its own.

I would use PBKDF2, and bcrypt both, and xor the two results together, because I like that PBKDF2 was designed for key derivation, and that bcrypt is more resistant to GPUs.But I may be over-designing.

At any rate, make sure your routine takes a long time. If you do not adjust the hashes properly, and it completes too quickly, than an offline brute-force may become feasable. I recommend 50-500ms. Keep in mind that newer hardware will speed this up, and that hackers may speed it up even more if they invest, or maybe just rent a cloud/cluster. Both of these mean you should adjust the hashes to repeat as much as possible, stopping just before you have a "slow problem". Because it will do nothing except speed up over time.

700 Software
  • 13,897
  • 3
  • 53
  • 82
  • Ya my question is to drive key from user password to encrypt files using AES. I want know about comparative analysis with respect to security between bcrypt and PBKDF2? – madhvi May 12 '12 at 05:07
  • Yes, in describing bcrypt, the pluses and minuses are compared to PBKDF2. That is the comparison, without entering into the cryptography specifics. I see that as unnecessary. – 700 Software May 14 '12 at 19:02
  • @madhvi, Both routines are great for the job, I typed out what makes bcrypt better or worse. If there is anything you are unclear on, just say so, and maybe it can be clarified. – 700 Software May 17 '12 at 13:02