Next: Implementation Up: A Future-Adaptable Password Scheme Previous: Eksblowfish Algorithm

Bcrypt Algorithm

The problems present in traditional UNIX password hashes led naturally to a new password scheme which we call bcrypt, referring to the Blowfish encryption algorithm. Bcrypt uses a 128-bit salt and encrypts a 192-bit magic value. It takes advantage of the expensive key setup in eksblowfish.

The bcrypt algorithm runs in two phases, sketched in Figure 3. In the first phase, EksBlowfishSetup is called with the cost, the salt, and the password, to initialize eksblowfish's state. Most of bcrypt's time is spent in the expensive key schedule. Following that, the 192-bit value ``OrpheanBeholderScryDoubt'' is encrypted 64 times using eksblowfish in ECB mode with the state from the previous phase. The output is the cost and 128-bit salt concatenated with the result of the encryption loop.

**Figure 3:** The bcrypt algorithm for hashing UNIX passwords, based on eksblowfish.
$\begin{figure} \hfil\vbox{\begin{tabbing} \quad \= \quad \= \kill bcrypt (\texti... ...\textit{cost}, \textit{salt}, \textit{ctext}) \\ \end{tabbing}}\hfil\end{figure}$

In Section 3, we derived that an $\epsilon$ -secure password function should fulfill several important criteria: second preimage-resistance, a salt space large enough to defeat precomputation attacks, and an adaptable cost. We believe that Bcrypt achieves all three properties, and that it can be $\epsilon$ -secure with useful values of $\epsilon$ for years to come. Though we cannot formally prove bcrypt $\epsilon$ -secure, any flaw would likely deal a serious blow to the well-studied blowfish encryption algorithm.

Implementation

Next: Implementation Up: A Future-Adaptable Password Scheme Previous: Eksblowfish Algorithm

Niels Provos and David Mazieres
4/28/1999