NAME

Authen::Passphrase::BlowfishCrypt - passphrases using the Blowfish-based Unix crypt()

SYNOPSIS

use Authen::Passphrase::BlowfishCrypt;

$ppr = Authen::Passphrase::BlowfishCrypt->new(
	cost => 8,
	salt => "sodium__chloride",
	hash_base64 => "BPZijhMHLvPeNMHd6XwZyNamOXVBTPi");

$key_nul = $ppr->key_nul;
$cost = $ppr->cost;
$cost = $ppr->keying_nrounds_log2;
$salt = $ppr->salt;
$salt_base64 = $ppr->salt_base64;
$hash = $ppr->hash;
$hash_base64 = $ppr->hash_base64;

if($ppr->match($passphrase)) { ...

$passwd = $ppr->as_crypt;
$userPassword = $ppr->as_rfc2307;

DESCRIPTION

An object of this class encapsulates a passphrase hashed using the Blowfish-based Unix crypt() hash function, known as "bcrypt". This is a subclass of Authen::Passphrase, and this document assumes that the reader is familiar with the documentation for that class.

The crypt() function in a modern Unix actually supports several different passphrase schemes. This class is concerned only with one particular scheme, a Blowfish-based algorithm designed by Niels Provos and David Mazieres for OpenBSD. To handle the whole range of passphrase schemes supported by the modern crypt(), see the from_crypt constructor and the as_crypt method in Authen::Passphrase.

The Blowfish-based crypt() scheme uses a variant of Blowfish called "Eksblowfish", for "expensive key schedule Blowfish". It has the cryptographic strength of Blowfish, and a very slow key setup phase to resist brute-force attacks. There is a "cost" parameter to the scheme: the length of key setup is proportional to 2^cost. There is a 128-bit salt. Up to 72 characters of the passphrase will be used; any more will be ignored.

The cost, salt, and passphrase are all used to (very slowly) key Eksblowfish. Once key setup is done, the string "OrpheanBeholderScryDoubt" (three Blowfish blocks long) is encrypted 64 times in ECB mode. The final byte of the ciphertext is then dropped, yielding a 23-byte hash.

In the crypt() function the salt and hash are represented in ASCII using a base 64 encoding. The base 64 digits are ".", "/", "A" to "Z", "a" to "z", "0" to "9" (in that order). The 16-byte salt is represented as 22 base 64 digits, and the 23-byte hash as 31 base 64 digits.

CONSTRUCTOR

Authen::Passphrase::BlowfishCrypt->new(ATTR => VALUE, ...)

Generates a new passphrase recogniser object using the generalised DES-based crypt() algorithm. The following attributes may be given:

key_nul

Boolean indicating whether to append a NUL to the passphrase before using it as a key. The algorithm as originally devised does not do this, but it was later modified to do it. The version that does append NUL is to be preferred. Default true.

cost

Base-two logarithm of the number of keying rounds to perform.

keying_nrounds_log2

Synonym for cost.

salt

The salt, as a 16-byte string.

salt_base64

The salt, as a string of 22 base 64 digits.

hash

The hash, as a 23-byte string.

hash_base64

The hash, as a string of 31 base 64 digits.

The cost, salt, and hash must all be given.

METHODS

$ppr->key_nul

Returns a boolean indicating whether a NUL will be appended to the passphrase before using it as a key.

$ppr->cost

Returns the base-two logarithm of the number of keying rounds that will be performed.

$ppr->keying_nrounds_log2

Synonym for cost.

$ppr->salt

Returns the salt, as a string of sixteen bytes.

$ppr->salt_base64

Returns the salt, as a string of 22 base 64 digits.

$ppr->hash

Returns the hash value, as a string of 23 bytes.

$ppr->hash_base64

Returns the hash value, as a string of 31 base 64 digits.

$ppr->match(PASSPHRASE)

$ppr->as_crypt

$ppr->as_rfc2307

These methods are part of the standard Authen::Passphrase interface.

SEE ALSO

Authen::Passphrase, Crypt::Eksblowfish::Bcrypt

AUTHOR

Andrew Main (Zefram) <zefram@fysh.org>

COPYRIGHT

Copyright (C) 2006 Andrew Main (Zefram) <zefram@fysh.org>

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.