I'm trying to mimic in Go, the functionality that is available in a python library (https://pypi.org/project/scrypt/) for decrypting a scrypt generated digest (given the correct password).
It seems the go library only provides one function for encrypting data where as it seems this python library provides not only that but also a way to reverse/decrypt the digest, as well as provide a function for using scrypt for a simpler one-way hash function.
I'm not a security expert, nor do I understand maths/numbers so I feel like trying to replicate that python library is beyond my understanding. I presume it's possible to do because the python library appears to have achieved it.
Does anyone know where I would even start on approaching this problem. Or be gracious enough with their time to provide some form of example code to help me.
Thanks.
The scrypt function is fundamentally a hash function. It uses a password as a way to derive a digest: meaning, there should be no way for the original message (the message that was hashed) to be retrieved.
So with that understanding in place, it makes sense that Golang's interface for scrypt doesn't support any such function such as decrypt. But then how is py-script's decrypt function working?
Well, if I look back at https://www.tarsnap.com/scrypt.html it states that the scrypt executable provides an "encryption utility"...
A simple password-based encryption utility is available as a demonstration of the scrypt key derivation function. The scrypt utility can be invoked as
scrypt enc infile [outfile]to encrypt data (ifoutfileis not specified, the encrypted data is written to the standard output), or asscrypt dec infile [outfile]to decrypt data (ifoutfileis not specified, the decrypted data is written to the standard output).
...and upon checking py-script I see it embeds a version of the scrypt executable, meaning py-script is calling the executable's enc and dec functions.
So although I don't necessarily know how tarsnap's encryption utility is built and what it's doing under the covers (e.g. what actual encryption algorithm is being utilised), the fact is that scrypt is only really designed as a key derivation function and that digest output is used by those additional tarsnap functions in such a way as to support encryption/decryption.
There is no decryption of scrypt, only validation.
What the scrypt decrypt function does is take a password and a password hash created by the encrypt function and validates by performing the same operation on the password that the encrypt function did and then comparing the two hashes.
Check the Golang documentation for there verification function name and usage.
scrypt does not decrypt, that is a misnomer by a developer who was lacking understanding. It is not even encryption, it is a cryptographic hash function from which the original input can not be obtained.