Check out the new USENIX Web site. next up previous
Next: Implementation Up: A Future-Adaptable Password Scheme Previous: Eksblowfish Algorithm

Bcrypt Algorithm

 The problems present in traditional UNIX password hashes led naturally to a new password scheme which we call bcrypt, referring to the Blowfish encryption algorithm. Bcrypt uses a 128-bit salt and encrypts a 192-bit magic value. It takes advantage of the expensive key setup in eksblowfish.

The bcrypt algorithm runs in two phases, sketched in Figure 3. In the first phase, EksBlowfishSetup is called with the cost, the salt, and the password, to initialize eksblowfish's state. Most of bcrypt's time is spent in the expensive key schedule. Following that, the 192-bit value ``OrpheanBeholderScryDoubt'' is encrypted 64 times using eksblowfish in ECB mode with the state from the previous phase. The output is the cost and 128-bit salt concatenated with the result of the encryption loop.


  
Figure 3: The bcrypt algorithm for hashing UNIX passwords, based on eksblowfish.
\begin{figure}
\hfil\vbox{\begin{tabbing}
\quad \= \quad \= \kill
bcrypt (\texti...
 ...\textit{cost}, \textit{salt}, \textit{ctext}) \\ \end{tabbing}}\hfil\end{figure}

In Section 3, we derived that an $\epsilon$-secure password function should fulfill several important criteria: second preimage-resistance, a salt space large enough to defeat precomputation attacks, and an adaptable cost. We believe that Bcrypt achieves all three properties, and that it can be $\epsilon$-secure with useful values of $\epsilon$ for years to come. Though we cannot formally prove bcrypt $\epsilon$-secure, any flaw would likely deal a serious blow to the well-studied blowfish encryption algorithm.



 
next up previous
Next: Implementation Up: A Future-Adaptable Password Scheme Previous: Eksblowfish Algorithm
Niels Provos and David Mazieres
4/28/1999