NAME

       Authen::Passphrase::BlowfishCrypt - passphrases using the Blowfish-based Unix crypt()

SYNOPSIS

               use Authen::Passphrase::BlowfishCrypt;

               $ppr = Authen::Passphrase::BlowfishCrypt->new(
                       cost => 8,
                       salt => "sodium__chloride",
                       hash_base64 => "BPZijhMHLvPeNMHd6XwZyNamOXVBTPi");

               $ppr = Authen::Passphrase::BlowfishCrypt->new(
                       cost => 8, salt_random => 1,
                       passphrase => "passphrase");

               $ppr = Authen::Passphrase::BlowfishCrypt->from_crypt(
                       '$2a$08$a07iYVTrVz7hYEvtakjiXOB'.
                       'PZijhMHLvPeNMHd6XwZyNamOXVBTPi');

               $ppr = Authen::Passphrase::BlowfishCrypt->from_rfc2307(
                       '{CRYPT}$2a$08$a07iYVTrVz7hYEvtakjiXOB'.
                       'PZijhMHLvPeNMHd6XwZyNamOXVBTPi');

               $key_nul = $ppr->key_nul;
               $cost = $ppr->cost;
               $cost = $ppr->keying_nrounds_log2;
               $salt = $ppr->salt;
               $salt_base64 = $ppr->salt_base64;
               $hash = $ppr->hash;
               $hash_base64 = $ppr->hash_base64;

               if($ppr->match($passphrase)) { ...

               $passwd = $ppr->as_crypt;
               $userPassword = $ppr->as_rfc2307;

DESCRIPTION

       An object of this class encapsulates a passphrase hashed using the Blowfish-based Unix crypt() hash
       function, known as "bcrypt".  This is a subclass of Authen::Passphrase, and this document assumes that
       the reader is familiar with the documentation for that class.

       The crypt() function in a modern Unix actually supports several different passphrase schemes.  This class
       is concerned only with one particular scheme, a Blowfish-based algorithm designed by Niels Provos and
       David Mazieres for OpenBSD.  To handle the whole range of passphrase schemes supported by the modern
       crypt(), see the from_crypt constructor and the as_crypt method in Authen::Passphrase.

       The Blowfish-based crypt() scheme uses a variant of Blowfish called "Eksblowfish", for "expensive key
       schedule Blowfish".  It has the cryptographic strength of Blowfish, and a very slow key setup phase to
       resist brute-force attacks.  There is a "cost" parameter to the scheme: the length of key setup is
       proportional to 2^cost.  There is a 128-bit salt.  Up to 72 characters of the passphrase will be used;
       any more will be ignored.

       The cost, salt, and passphrase are all used to (very slowly) key Eksblowfish.  Once key setup is done,
       the string "OrpheanBeholderScryDoubt" (three Blowfish blocks long) is encrypted 64 times in ECB mode.
       The final byte of the ciphertext is then dropped, yielding a 23-byte hash.

       In the crypt() function the salt and hash are represented in ASCII using a base 64 encoding.  The base 64
       digits are ".", "/", "A" to "Z", "a" to "z", "0" to "9" (in that order).  The 16-byte salt is represented
       as 22 base 64 digits, and the 23-byte hash as 31 base 64 digits.

       This algorithm is intended for situations where the efficiency of a brute force attack is a concern.  It
       is suitable for use in new applications where this requirement exists.  If that is not a concern, and it
       suffices to merely make brute force the most efficient attack, see Authen::Passphrase::SaltedDigest for
       more efficient hash algorithms.

       Choice of the cost parameter is critical, due to the need to trade off expense of brute-force attack
       against speed of legitimate passphrase verification.  A traditional target is that verification should
       take about one second on widely-available hardware.  (Algorithms that are concerned about brute force
       speed but lack a cost parameter have often aimed for this, with respect to hardware available at the time
       of the algorithm's introduction.)  As of 2011, this is achieved with a cost parameter around 14.

CONSTRUCTORS

       Authen::Passphrase::BlowfishCrypt->new(ATTR => VALUE, ...)
           Generates  a  new  passphrase  recogniser  object  using  the  Blowfish-based crypt() algorithm.  The
           following attributes may be given:

           key_nul
               Truth value indicating whether to append a NUL to the passphrase before using it as a  key.   The
               algorithm  as  originally  devised  does  not  do  this, but it was later modified to do it.  The
               version that does append NUL is to be preferred.  Default true.

           cost
               Base-two logarithm of the number of keying rounds to perform.

           keying_nrounds_log2
               Synonym for cost.

           salt
               The salt, as a 16-byte string.

           salt_base64
               The salt, as a string of 22 base 64 digits.

           salt_random
               Causes salt to be generated randomly.  The value given for this attribute is ignored.  The source
               of randomness may be controlled by the facility described in Data::Entropy.

           hash
               The hash, as a 23-byte string.

           hash_base64
               The hash, as a string of 31 base 64 digits.

           passphrase
               A passphrase that will be accepted.

           The cost and salt must be given, and either the hash or the passphrase.

       Authen::Passphrase::BlowfishCrypt->from_crypt(PASSWD)
           Generates a new passphrase recogniser object using the Blowfish-based crypt() algorithm, from a crypt
           string.  The crypt string must start with "$2$" for the version that does not append NUL to the  key,
           or  "$2a$" for the version that does.  The next two characters must be decimal digits giving the cost
           parameter.  This must be followed by "$", 22 base 64 digits giving the salt, and finally 31  base  64
           digits giving the hash.

       Authen::Passphrase::BlowfishCrypt->from_rfc2307(USERPASSWORD)
           Generates  a new passphrase recogniser object using the Blowfish-based crypt() algorithm, from an RFC
           2307 string.  The string must consist of "{CRYPT}" (case insensitive) followed by an acceptable crypt
           string.

METHODS

       $ppr->key_nul
           Returns a truth value indicating whether a NUL will be appended to the passphrase before using it  as
           a key.

       $ppr->cost
           Returns the base-two logarithm of the number of keying rounds that will be performed.

       $ppr->keying_nrounds_log2
           Synonym for "cost".

       $ppr->salt
           Returns the salt, as a string of sixteen bytes.

       $ppr->salt_base64
           Returns the salt, as a string of 22 base 64 digits.

       $ppr->hash
           Returns the hash value, as a string of 23 bytes.

       $ppr->hash_base64
           Returns the hash value, as a string of 31 base 64 digits.

       $ppr->match(PASSPHRASE)
       $ppr->as_crypt
       $ppr->as_rfc2307
           These methods are part of the standard Authen::Passphrase interface.

SEE ALSO

       Authen::Passphrase, Crypt::Eksblowfish::Bcrypt

AUTHOR

       Andrew Main (Zefram) <zefram@fysh.org>

COPYRIGHT

       Copyright (C) 2006, 2007, 2009, 2010, 2012 Andrew Main (Zefram) <zefram@fysh.org>

LICENSE

       This  module  is  free  software;  you  can redistribute it and/or modify it under the same terms as Perl
       itself.

perl v5.34.0                                       2022-06-08             Authen::Passphrase::BlowfishCrypt(3pm)