[Cryptography] CSPRNG for password salt

John B vertex.vr4 at gmail.com
Wed Aug 20 04:08:34 EDT 2014


On 20 August 2014 17:14, Stephan Neuhaus <stephan.neuhaus at tik.ee.ethz.ch>
wrote:

> On 2014-08-20, 03:43, John B wrote:
> a) The only "attack" I can think of is that rand() (IIRC) is a 32-bit
> RNG, which would mean that after 2^16 generated salts, one should start
> seeing collisions.  And *if I knew in advance what that collision was*,
> I could now hack two passwords as cheaply as one through a prepared
> dictionary using that salt.
>

b) Now a salt is not an IV, so even with a collision, no keystream is
> repeated, so I'm doubtful that even doubling the probability of success
> counts for very much.  I think it's much more likely that some user's
> password is 123456 or something easily crackable, so the answer to that
> is "not very".
>
> Fun,
>
> Stephan
>


Hi Stephan,

Really appreciate your input.
It got me to pondering this argument for CSPRNGs:

Say we were using rand() - if the attacker can submit his/her own password
AND obtain their own hash back, they could then bruteforce the seed (say
because srand(time_now)) and now would presumably know the list of salts
used for all of the subsequent password hashes. They can then pre-compute
the tables necessary for an 'improved' offline attack on those passwords.
Does this sound plausible?

Thanks again for your time and quality analysis.

Regards,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140820/d9a705b2/attachment.html>


More information about the cryptography mailing list