password strengthening: salt vs. IVs

[Steven M. Bellovin]

On Mon, 29 Oct 2007 14:24:23 -0500
travis+ml-cryptography at subspacefield.org wrote:

> So back in the bad old days when hashing was DES encryption of the
> zero vector with a fixed key, someone came up with salt as a password
> strengthening mechanism.
> 
> I'm not quite sure why it was called salt.
> 
> It perturbed the S-boxes in DES IIRC, but essentially it was a known
> bit of text that was an input to the algorithm that varied between
> entries, like an IV does with encryption.
> 
> If there isn't already a term for this, I'm going to call this
> general concept "individuation", or possibly "uniquification".
> 
> Nowadays with strong hash algorithms, but rainbow tables and
> low-entropy passwords as the threat, I'm wondering what the best
> practice is.
> 
> I was thinking of simply prepending a block of text to each passphrase
> prior to hashing, and storing it with the hash - similar to salts in
> passwd entries.
> 
> It should have at least as much entropy as the hash output, maybe a
> little more in case there's collisions.  If it were uniformly random,
> you could simply XOR it with the passphrase prior to hashing and save
> yourself some cycles, right?
> 
> Would it be appropriate to call this salt, an IV, or some new term?

That's an IV.  I strongly suggest your read the Ritchie and Thompson
paper on the reasons for the salt.  While making sure that two
identical passwords rarely hashed to the same value, it had another
purpose: protecting against hardware attacks.  Ritchie and Thompson
assumed that there would be generic DES chips; they didn't want those
to be used in a password-cracking machine.  Accordingly, the salt was
used to permute the E-box -- not the S-boxes -- to prevent that.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com