tags:

views:

70

answers:

5
Q: 

Using a random salt in password encryption?

Hey,

I've seen a few other threads about this topic, but I can't seem to find a few answers to some questions involving the use of a random salt in password encryption. To my understanding, the steps go something like this:

  1. Generate a random salt for the user.
  2. Append the salt to their password.
  3. Use something like SHA-2 to hash the result.
  4. Store both the salt and hashed password in the database.

How does this method work when retrieving the user's password and verifying log-in? One response says that the user's salt should be retrieved, appended to their inputted password, hashed, and then compared to the stored hash, but doesn't this raise some issues? Namely:

  • How do you retrieve the salt without compromising that user? If someone wanted to brute-force a certain account's password, wouldn't they be able to retrieve the salt that was sent back from the server to hash the inputted password, thereby eliminating the security that having a salt adds?
  • If we avoid the previous problem by doing the salt retrieval server-side, then won't we be sending the user's inputted password unencrypted at one point or another (so that it may later be appended to the retrieved salt)?

Any insight is greatly appreciated,
Jengerer

+1  A: 

I use a fixed salt (for all passwords) which is hardcoded on the application code. Assuming that the salt cannot be exposed (e.g via the UI of the application) this looks simple and good enough.

cherouvim  2010-10-26 06:02:41
The thing is, for something like a website, hard-coding the salt doesn't work for one of two reasons: a) if the salt is added client-side, it's openly visible to anyone and so it's completely useless, b) if it's done server side, it necessitates that the user's password is sent unencrypted so that it may be done server-side, and so there's a gaping flaw in either case.
Jengerer  2010-10-26 06:05:26
Yes you are right. I think it's best to salt on the server side and use https for the client when transmitting the password.
cherouvim  2010-10-26 06:09:44
But this means that an attacker can attack all passwords in parallel, if the hashed passwords are compromised - the very thing salting is meant to prevent. I.e. with per-user salt, then each hash computation can only be compared against that users hash result. But with a single salt for the application, every hash result can be compared against all users. And, if the hashes are exposed, two different users can determine that they have the same password.
Damien_The_Unbeliever  2010-10-26 06:25:58
cherouvim  2010-10-26 11:17:57
@cherouvim - it's still possible for a user to determine that someone else shares the same password, without compromising the salt. If that other user is an admin, that could be a concern. And you're not meant to *have* to hide the salt. And what if they retrieve the salt, say, by an inadvertent release of your source code, rather than a server compromise? You can't change the salt without invalidating everyone's passwords.
Damien_The_Unbeliever  2010-10-26 11:20:37
@Damien_The_Unbeliever: that is correct
cherouvim  2010-10-26 15:58:07
+1  A: 

Security introduced by salt is that you obtain hash for something much bigger and non-standard than the plain password. It doesn't matter if its algorithm is closed, because it protects the hash stored in plain in database from rainbow or dictionary attacks.

It's also reccomended to take hash several times recursively, maybe readding the salt at each iterations, so that brute force will take much longer.

EDIT: to what Bevan said about communication: usually the "number used once" (NONCE) scheme is used to transmit passwords over unsecure channels. The server gives a random string never used before to the client, he appends it to the plain password, computes hash, and sends it. This protects you from eavesdropping attacks.

ruslik  2010-10-26 06:03:32
But if the salt is fixed or the algorithm is closed, then can't something like a dictionary attack overcome that by simply appending that known salt to each of the attempts?
Jengerer  2010-10-26 06:09:55
Well, it's not so difficult to RE the algorithm, so don't feel safe just because it's closed.
ruslik  2010-10-26 06:23:20
A: 

Hashing passwords protects against plainly visible passwords, and salting them guards against dictionary attacks. As far as protecting passwords during transport, I would recommend SSL/TLS.

Jordan  2010-10-26 06:08:35
+1  A: 

The only way to not send an unencrypted value which can be used to log in is to use SSL. If the hash gets sent to the server, the hash itself can be sniffed and used to log in. Do it server side.

+1 to what ruslik said about the salt. It prevents dictionary/rainbow attacks. A rainbow table for an average password + several bytes of random binary data would be astronomically huge.

mootinator  2010-10-26 06:08:50
+ it will not exist already. Rainbow tables for common hash functions and common words and/or words o a certain size already exists.
ruslik  2010-10-26 06:16:00
+2  A: 

The salt should never be exposed outside of the service - your instinct is right that this would be exposing the salt and introducing risk.

Any communication between your client and server should occur over an SSL connection - or at least using some kind of encryption of the interaction.

Keep in mind the purpose of the salt: to make it harder for someone to precalculate hash codes and therefore be able to look up passwords in the case of the database being compromised. An 8 bit salt makes the hash space 256 times bigger, making precalculation that much harder. The salt isn't about securing communication - there are other solutions for that.

Bevan  2010-10-26 06:09:36
The system should be secure even if the salting algorithm is exposed. What you propose is "security through obscurity", and it was never safe. All good algorithms for encription are safe even when you know them.
ruslik  2010-10-26 06:17:29
@ruslik Sorry, I don't get your point. Of course the algorithm should be exposed - that's axiomatic of good security. By "the salt" I meant the actual salt value for a specific password, not the salting algorithm.
Bevan  2010-10-26 06:42:27
@Bevan Sorry, but there is no difference.
ruslik  2010-10-26 06:53:20
@ruslik My understanding (always subject to correction) is that the salt acts to provide additional key bits, and like any symmetric key, should remain confidential. Wikipedia agrees ("For best security, the salt value is kept secret." http://en.wikipedia.org/wiki/Salt_%28cryptography%29). What do you think I'm missing?
Bevan  2010-10-26 07:09:21
@Bevan in my inderstanding, you cannot keep it secret if the algorithm is exposed (assuming it can be generated on client's machine).
ruslik  2010-10-26 07:20:22
@ruslik I think I see where you're going. If you know the inputs AND the algorithm, you can generate the output, so the output can't be a secret. That's true - if you know both the salt and the password, you can generate the salted-hash, no problem. The goal of the salt, though, is to make reversal harder: If you have the salted-hash, how do you obtain the password? Without a salt, there's only one hash for a given password, so you can precalculate it. With an 8 bit salt, there are 256 salted-hashes for each password, requiring more space fore precalculation.
Bevan  2010-10-26 19:20:33

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL