password strengthening: salt vs. IVs
michaelslists at gmail.com
Mon Oct 29 22:32:47 EDT 2007
On Oct 30, 2007 6:24 AM, <travis+ml-cryptography at subspacefield.org> wrote:
> So back in the bad old days when hashing was DES encryption of the
> zero vector with a fixed key, someone came up with salt as a password
> strengthening mechanism.
> I'm not quite sure why it was called salt.
> It perturbed the S-boxes in DES IIRC, but essentially it was a known
> bit of text that was an input to the algorithm that varied between
> entries, like an IV does with encryption.
> If there isn't already a term for this, I'm going to call this
> general concept "individuation", or possibly "uniquification".
> Nowadays with strong hash algorithms, but rainbow tables and
> low-entropy passwords as the threat, I'm wondering what the best
> practice is.
> I was thinking of simply prepending a block of text to each passphrase
> prior to hashing, and storing it with the hash - similar to salts in
> passwd entries.
well what you're describing is quite classically a salt, imho.
> It should have at least as much entropy as the hash output, maybe a
> little more in case there's collisions. If it were uniformly random,
> you could simply XOR it with the passphrase prior to hashing and save
> yourself some cycles, right?
well no. i mean to xor it (or probably what you mean: to otp it)
you'll need to have a "salt" who's length is equal to the input. that
would then mean that short inputs would result in short salts. i.e. a
password of "a" may result in the "salt" of "x". hash("a" ^ "x") is
hardly secure against a rainbow table.
so you're better off maintaining the salt in a separate location
(after all, the threat model is that someone takes the db and has a
list of all the hashes, and then calculates out the passwords) and
still prepend it on before the main passphase.
you may consider, however, that if this "salt" is as long as one block
of the input to the hash algorithm, it effectively becomes a new iv.
but what that has to do with anything; i don't know ...
> Would it be appropriate to call this salt, an IV, or some new term?
> Life would be so much easier if it was open-source.
> <URL:http://www.subspacefield.org/~travis/> Eff the ineffable!
> For a good time on my UBE blacklist, email john at subspacefield.org.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography