Use SCrypt for passphrase encryption

[pkarman]

Why: A crypto model everyone can agree on.

[pkarman]

marked as DO NOT MERGE until we get NIST and USCIS sign-off.

[pkarman]

cc: @alex @regenscheid @bandrzej -- would love your 👀 on this please.

[monfresh]

When you get a chance, could you please run benchmarks to see how long it takes to generate a password with the current settings?

[pkarman]

Comparison:
bcrypt 10 stretches                          :       16.3 i/s
pbkdf2 50000 iterations                   :       15.8 i/s - same-ish: difference falls within error
SCrypt key_len 64 salt_size 32:       14.8 i/s - same-ish: difference falls within error
SCrypt key_len 64 salt_size 8:       13.3 i/s - same-ish: difference falls within error
SCrypt key_len 128 salt_size 32:       13.1 i/s - same-ish: difference falls within error
SCrypt key_len 128 salt_size 16:       13.0 i/s - same-ish: difference falls within error
SCrypt key_len 32 salt_size 32:       12.9 i/s - same-ish: difference falls within error
SCrypt key_len 16 salt_size 16:       12.8 i/s - same-ish: difference falls within error
SCrypt key_len 128 salt_size 8:       12.6 i/s - same-ish: difference falls within error
SCrypt key_len 64 salt_size 16:       12.6 i/s - same-ish: difference falls within error
SCrypt key_len 32 salt_size 16:       12.5 i/s - same-ish: difference falls within error
SCrypt key_len 16 salt_size 8:       12.1 i/s - same-ish: difference falls within error
SCrypt key_len 32 salt_size 8:       12.0 i/s - same-ish: difference falls within error
SCrypt key_len 16 salt_size 32:       11.8 i/s - same-ish: difference falls within error
bcrypt 11 stretches                          :        8.3 i/s - 1.97x slower
pbkdf2 100000 iterations                   :        8.1 i/s - 2.02x slower
pbkdf2 200000 iterations                   :        4.1 i/s - 4.00x slower
bcrypt 12 stretches                          :        3.9 i/s - 4.18x slower
pbkdf2 400000 iterations                   :        2.0 i/s - 8.02x slower
bcrypt 13 stretches                          :        2.0 i/s - 8.33x slower
pbkdf2 800000 iterations                   :        1.0 i/s - 16.26x slower
bcrypt 14 stretches                          :        1.0 i/s - 16.46x slower

[monfresh]

Interesting. The current scrypt settings are 1.78x faster than the default 11 stretches for BCrypt. Should we increase the scrypt settings so that it's as slow as BCrypt, or are the current settings secure enough that we should be happy about the speed improvement?

[pkarman]

afaik, scrypt derives some advantages over bcrypt and pbkdf2 not because of its speed but because of how memory resource intensive it is. So it's not a strict apples-vs-apples comparison.

Still, I think we might slow it down with some other config settings.

[jgrevich]

So it's not a strict apples-vs-apples comparison.

Correct. I think this article has a good description of the various hashing algorithms that we've considered (sans Argon2): https://medium.com/@mpreziuso/password-hashing-pbkdf2-scrypt-bcrypt-1ef4bb9c19b3#.3nh9cxd1s (also: https://en.wikipedia.org/wiki/Memory_bound_function)

Still, I think we might slow it down with some other config settings.

I agree and would like to do some experimentation around this. Off the bat i'd like to suggest that we should pay the cost for memory rich server instances if they prove effective.

[pkarman]

The SCrypt max_time config option is the meaningful switch:

Calculating -------------------------------------
 bcrypt 10 stretches     15.653  (± 6.4%) i/s -     79.000  in   5.061106s
 bcrypt 11 stretches      7.835  (± 0.0%) i/s -     40.000  in   5.111118s
 bcrypt 12 stretches      3.908  (± 0.0%) i/s -     20.000  in   5.120619s
 bcrypt 13 stretches      1.942  (± 0.0%) i/s -     10.000  in   5.150612s
 bcrypt 14 stretches      0.971  (± 0.0%) i/s -      5.000  in   5.148008s
 SCrypt max_time 0.3      8.174  (±36.7%) i/s -     36.000  in   5.056465s
 SCrypt max_time 0.4      5.518  (±36.2%) i/s -     25.000  in   5.258364s
 SCrypt max_time 0.5      4.118  (±48.6%) i/s -     19.000  in   5.247450s
 SCrypt max_time 0.6      2.839  (±35.2%) i/s -     14.000  in   5.281032s
  pbkdf2 50000 iters     16.526  (± 6.1%) i/s -     83.000  in   5.047569s
 pbkdf2 100000 iters      8.081  (± 0.0%) i/s -     41.000  in   5.084318s
 pbkdf2 200000 iters      4.111  (± 0.0%) i/s -     21.000  in   5.114408s
 pbkdf2 400000 iters      2.063  (± 0.0%) i/s -     11.000  in   5.337527s
 pbkdf2 800000 iters      1.036  (± 0.0%) i/s -      6.000  in   5.790325s

Comparison:
  pbkdf2 50000 iters:       16.5 i/s
 bcrypt 10 stretches:       15.7 i/s - same-ish: difference falls within error
 SCrypt max_time 0.3:        8.2 i/s - 2.02x slower
 pbkdf2 100000 iters:        8.1 i/s - 2.05x slower
 bcrypt 11 stretches:        7.8 i/s - 2.11x slower
 SCrypt max_time 0.4:        5.5 i/s - 3.00x slower
 SCrypt max_time 0.5:        4.1 i/s - 4.01x slower
 pbkdf2 200000 iters:        4.1 i/s - 4.02x slower
 bcrypt 12 stretches:        3.9 i/s - 4.23x slower
 SCrypt max_time 0.6:        2.8 i/s - 5.82x slower
 pbkdf2 400000 iters:        2.1 i/s - 8.01x slower
 bcrypt 13 stretches:        1.9 i/s - 8.51x slower
 pbkdf2 800000 iters:        1.0 i/s - 15.95x slower
 bcrypt 14 stretches:        1.0 i/s - 17.01x slower

[pkarman]

this particular implementation isn't truly finished and we will probably end up with a custom encryptor to help integrate more closely with how we encrypt PII.