views:

95

answers:

2

I have heard that the only purpose of a salt is to prevent rainbow table attacks, but surely it must have more value than this? Would it not prevent a dictionary-based attack too? And what about brute-forcing, would a salt be of any use there? And could you explain why, please?

Second, suppose I had an algorithm that took the microtime, a 128 character salt and a random number between 1 billion and 10 billion, and hashed them together. Would this provide a great level of security? For even if the attacker knew one of those details, it seems to me that it would still be computationally infeasible to calculate the rest. Is that right, though?

Thanks,

Ben

Edit: To clarify, the attacker doesn't have access to the hashing algorithm, so they can't spam any information to the system. All they have is the hash and they have to work out how it was compiled. Surely even if they knew how the hash was generated, trying to brute-force all the combinations with a long salt would make it unrealistic to do?

Also, the hash isn't of the user's password or username, it's just a random set of characters used for authentication. So the salt and random number don't need to be stored, just the resulting hash. In that case would the above system, represented in something like the below code, be a good system to prevent an attacker from being able to realistically guess what a user's hash might be?

$salt = "some random characters I made up";
hash('sha256', microtime(true).$salt.mt_rand(1000,9999));

I know that's only 1000-9999 instead of the billions mentioned above.

Thanks again.

+4  A: 

No - It only prevents rainbow table attacks. As a attacker needs to build the rainbow table for each password entry. Because the salt adds a lil spice which differentiates the password hash from all the others.

Dictionary-based and Brute-forcing attacks are essentially the same thing here. Salting doesn’t stop these as your validation algorithm is something like

plain-text-passwd = 'secret provided by user'
salt = getSalt(username) //looks the salt value up in database based on the users username
hash-password-in-db = getPassword(username) // looks up hashed password bassed on users username
if(hash(plain-text-passwd + salt) == hash-password-in-db) //if true, password is correct

With Dictionary-based and Brute-forcing attacks the value for plain-text-passwd is spammed by the user which in turn gets hashed with the salt. So salting does nothing

Second, suppose I had an algorithm...

This is pointless, you need to store all this information against the user information table, where a 5 character salt value serves the same purpose.

nullptr
+2  A: 

A rainbow table is an optimisation method that can be used for both dictionary attacks and brute-force attacks.

A correctly-used salt makes precomputation infeasible for dictionary and brute-force attacks. Since a rainbow table is a kind of precomputation optimisation, so it is one of the optimisations that is neutered by salting.

Your second example is really just a longer salt, with some lower-entropy portions. It is worrying that you differentiate "a random number" and "a salt", since a salt should be a random nonce.

caf