tags:

views:

361

answers:

3
+2  Q: 

What is the salt in Enterprise Library HashProvider ? (SaltEnabled key)

How is the salt generated in HashProvider in Microsoft Enterprise Library when we set SaltEnabled?

Is it random to new machines? Is it some magic number?

(I know what is a salt, the question is what's the actual value of a/the salt in Enterprise Library HashProvider)

+2  A: 

Edit:

See Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.HashAlgorithmProvider for an example implementation. Hashing steps are:

  1. If SaltEnabled, generate random bytes for the salt length using RNGCryptoServiceProvider.
  2. Append the salt to the plaintext.
  3. Hash the salted plaintext.
  4. Then (this is the important step), append the salt again to the hash.

To compare against hashed text, you must use: 

public bool CompareHash(byte[] plaintext, byte[] hashedtext)

versus rehashing and comparing. If you rehash, a new random salt is generated and you're lost.

CompareHash does the following:

  1. Pulls the non-hashed salt off the hashtext. Remember, it was appended at step 4 above.
  2. Uses that salt to compute a hash for the plaintext.
  3. Compares the new hash with the hashedtext minus salt. If they're the same - true, else false.

Original:

"if salt is enabled on a HashProvider, the provider will generate a random sequence of bytes, that will be added to the hash. If you compare a hashed value with a unhashed value, the salt will be extracted from the hashed value and used to hash the unhashed value, prior to comparison."

and

"As for decoding as hash-value. this cannot be done. after creating a hash there should be no way to reverse this into the original value. However, what you can do is compare an unhashed-value with a hashed-value by putting it through the same algorithm and comparing the output."

From http://www.codeplex.com/entlib/Thread/View.aspx?ThreadId=10284

Corbin March  2008-09-24 17:23:14
"if salt is enabled on a HashProvider, the provider will generate a random sequence of bytes, that will be added to the hash."But then it won't work because this random salt supposed to be stored, or should be static for at least each machine.
 2008-10-14 11:25:08
Sorry about the confusion. Please see my edit for more details that, I think, answer your question.
Corbin March  2008-10-14 19:50:14
A: 

Slightly offtopic :

This salt is used to prevent Rainbow attacks. A rainbow attack is a type of attempt to find out what was the string for which this hash has been computed based on a very large (exhaustive / several gigabytes usually) dictionary of precomputed hashes.

'Uncle' Jeff has a blog entry about this.

Additionally you could look up Wikipedia :

http://en.wikipedia.org/wiki/Rainbow_table

Andrei Rinea  2008-10-05 23:19:49
A: 

To clarify, I know what is salt my questions was what is the actual value of the salt. Is it changing machine to machine, or a static etc.

 2008-10-14 11:20:09

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?