[Cryptography] encrypting bcrypt hashes

Ray Dillinger bear at sonic.net
Wed Mar 8 15:01:56 EST 2017


Okay, to make sure I understand:

You have four-decimal pins hashed with sixteen-bit salt, and you're
worried about someone stealing the database.

We can start by talking about the size of the salt.  I mention this
because, since most businesses have more than 65536 customers (or at
least aspire to) it is likely that increasing the size of the salt so
that you can ensure each customer has _unique_ salt, will improve security.

The other reason to talk about the size of the salt is because, instead
of using a traditional symmetric encryption algorithm on a database of
hashes, it is better to simply extend the entities being hashed.

IOW, instead of encrypt(hash(PIN:salt),key), it is simpler to use
hash(PIN:salt:key).

This extends the work factor for the attacker as effectively as
encryption; finding a hash preimage for 256 bits of PIN+salt+key
requires the same number of attempts as finding a 256-bit key.  And it
has the advantage of not bringing more or different crypto code into
your application.  Every line of dedicated crypto code in an application
is an opportunity to make a security-critical mistake, so it's best to
minimize.

But, the dirty dirty truth is that with public implementations of good
crypto algorithms available, key management is by far the hardest part
to get right.  Avoiding the need for key management is why hashing
instead of encryption is preferred for PINs and passwords in the first
place.   If it's out of scope for this project, get someone to sign a
document that says so, because that key has to be present on everything
that can check PINs. Key theft is therefore the most likely way for the
whole thing to fail.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170308/211cdeef/attachment.sig>


More information about the cryptography mailing list