python - 如何修复 scrypt 的无效参数组合？

Question

我使用 Python 3.7.9 从 hashlib 对 scrypt() 进行了以下函数调用:

def aes_encrypt(msg, passwordStr):
    kdfSalt = urandom(16) # 16 bytes == 128 bits
    hashedKey = scrypt(passwordStr.encode(),salt=kdfSalt,n=16384,r=16,p=1, dklen=64) # 64 octets = 512 bits

运行这段代码时，出现错误:

  File "aes_scrypt_hmac.py", line 69, in <module>
    main()
  File "aes_scrypt_hmac.py", line 38, in main
    print(aes_encrypt(sampleData,testPassword))
  File "aes_scrypt_hmac.py", line 18, in aes_encrypt
    hashedKey = scrypt(passwordStr.encode(),salt=kdfSalt,n=16384,r=16,p=1, dklen=64) 
ValueError: Invalid parameter combination for n, r, p, maxmem.

我已阅读 documentation for scrypt ，并且它没有指定参数的期望；尽管它确实链接到 RFC，并且这些参数似乎有效。 maxmem 的具体要求未在文档中提及(例如，0 是什么意思？测量单位是什么)或 RFC 中。

Answer 1

我不得不承认我不确定您打算使用哪个 API。根据 scrypt 的 python 包，API 是 encrypt、decrypt 和 hash，而您使用的是我找不到的东西。

你的方法名为encrypt，但变量名为hashedKey，所以我不确定你是在散列还是在加密，它们显然不同。

但是，这些引用资料可能会有所帮助。

scrypt's python package implementation :

def hash(password, salt, N=1 << 14, r=8, p=1, buflen=64):
    """
    Compute scrypt(password, salt, N, r, p, buflen).
    The parameters r, p, and buflen must satisfy r * p < 2^30 and
    buflen <= (2^32 - 1) * 32. The parameter N must be a power of 2
    greater than 1. N, r and p must all be positive.
    Notes for Python 2:
      - `password` and `salt` must be str instances
      - The result will be a str instance
    Notes for Python 3:
      - `password` and `salt` can be both str and bytes. If they are str
        instances, they wil be encoded with utf-8.
      - The result will be a bytes instance
    Exceptions raised:
      - TypeError on invalid input
      - scrypt.error if scrypt failed
    """

当我使用 Python3 和 PyPi scrypt 包运行以下脚本时，一切正常:

import scrypt
import os

def aes_encrypt(pwd):
    kdfSalt = os.urandom(16) # 16 bytes == 128 bits
    return scrypt.hash(pwd.encode(), salt=kdfSalt, N=16384, r=16, p=1, buflen=64)

Go's scrypt package manual :

Key derives a key from the password, salt, and cost parameters, returning a byte slice of length keyLen that can be used as cryptographic key.

N is a CPU/memory cost parameter, which must be a power of two greater than 1. r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the limits, the function returns a nil byte slice and an error.

For example, you can get a derived key for e.g. AES-256 (which needs a 32-byte key) by doing:

dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32)

The recommended parameters for interactive logins as of 2017 are N=32768, r=8 and p=1. The parameters N, r, and p should be increased as memory latency and CPU parallelism increases; consider setting N to the highest power of 2 you can derive within 100 milliseconds. Remember to get a good random salt.