How is the salt generated in HashProvider in Microsoft Enterprise Library when we set SaltEnabled?

Is it random to new machines? Is it some magic number?

(I know what is a salt, the question is what's the actual value of a/the salt in Enterprise Library HashProvider)

+2  A: 


See Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.HashAlgorithmProvider for an example implementation. Hashing steps are:

  1. If SaltEnabled, generate random bytes for the salt length using RNGCryptoServiceProvider.
  2. Append the salt to the plaintext.
  3. Hash the salted plaintext.
  4. Then (this is the important step), append the salt again to the hash.

To compare against hashed text, you must use:

public bool CompareHash(byte[] plaintext, byte[] hashedtext)

versus rehashing and comparing. If you rehash, a new random salt is generated and you're lost.

CompareHash does the following:

  1. Pulls the non-hashed salt off the hashtext. Remember, it was appended at step 4 above.
  2. Uses that salt to compute a hash for the plaintext.
  3. Compares the new hash with the hashedtext minus salt. If they're the same - true, else false.


"if salt is enabled on a HashProvider, the provider will generate a random sequence of bytes, that will be added to the hash. If you compare a hashed value with a unhashed value, the salt will be extracted from the hashed value and used to hash the unhashed value, prior to comparison."


"As for decoding as hash-value. this cannot be done. after creating a hash there should be no way to reverse this into the original value. However, what you can do is compare an unhashed-value with a hashed-value by putting it through the same algorithm and comparing the output."


Corbin March
"if salt is enabled on a HashProvider, the provider will generate a random sequence of bytes, that will be added to the hash."But then it won't work because this random salt supposed to be stored, or should be static for at least each machine.
Sorry about the confusion. Please see my edit for more details that, I think, answer your question.
Corbin March

Slightly offtopic :

This salt is used to prevent Rainbow attacks. A rainbow attack is a type of attempt to find out what was the string for which this hash has been computed based on a very large (exhaustive / several gigabytes usually) dictionary of precomputed hashes.

'Uncle' Jeff has a blog entry about this.

Additionally you could look up Wikipedia :

Andrei Rinea

To clarify, I know what is salt my questions was what is the actual value of the salt. Is it changing machine to machine, or a static etc.