security - Salting Hashes - why is the salt treated by the literature as being known to Eve? -


the title says everything. don't understand: why shouldn't keep salt secret password. or did misunderstand something?

the salt treated public because keeping secret isn't necessary.

the point of salt make dictionary attacks more difficult/less practical. in dictionary attack, attacker hashes common words dictionary, , (if he's serious @ all) supplements things common names. equipped this, if can hold of list of hashed passwords, can see if of them matches hash in list. assuming have significant number of users, has pretty chance of finding @ least one. when does, looks in list find word produced hash, , can use log in , impersonate user.

adding salt means instead of doing once, has once each possible salt value. example, if use 24-bit salt, has hash each word in dictionary ~16 million times, , store results of ~16 million hashes.

just sake of argument, let's assume without salt, take attacker 8 hours hash candidate words, , 16 megabytes store results (hashes , word produced each). we'll further assume storage equally divided between hashes , list of words/names/whatever produced them.

using same 24-bit salt, means time multiplied same factor of ~16 million. storage words produced hashes remains same, hashes (again) multiplied ~16 million. working out math, come out approximately 15,000 years of computation , 128 terabytes of storage.

in short, without salt, dictionary attack within easy reach of anybody. believe (for example) let computer run overnight hashing pull april fools joke on few of co-workers (easy believe, because i've seen done).

when down it, it's numbers game: dictionary attack isn't betting every user have password that's easy guess, enough them find @ least few open holes. likewise, making salt public allow simpler attack, downloading salt each hash, , doing individual dictionary attacks on each, using known salt each one. assuming system has fewer users possible hash values, more practical attack. nonetheless, he's stuck attacking each password individually, rather using single dictionary not entire system, in fact systems might want attack use same hash algorithm.

in summary: salt can job though it's made public. 1 of aims of security system minimize amount of information needs kept secret. since salt can work if public, it's assumed public knowledge. in practical system, don't try publish attackers, don't (shouldn't, anyway) rely on remaining secret either.


Comments

Post a Comment

Popular posts from this blog

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

c# - SharpSVN - How to get the previous revision? -

i trying find efficient way previous revision of file text comparison using sharpsvn. using (svnclient c = new svnclient()) { c.authentication.defaultcredentials = new networkcredential( configurationmanager.appsettings.get("svnserviceusername") , configurationmanager.appsettings.get("svnservicepassword") , configurationmanager.appsettings.get("svnservicedomain") ); c.authentication.sslservertrusthandlers += new eventhandler<svnsslservertrusteventargs>(authentication_sslservertrusthandlers); collection<svnfileversioneventargs> fileversioncollection = new collection<svnfileversioneventargs>(); svnrevisionrange range = new svnrevisionrange(0, this.hooks.revision); svnfileversionsargs args = new svnfileversionsargs(); args.retrieveproperties = true; args.range = range; foreach (svnchangeitem item in log.changedpaths) { string path = this.repositorypath + it...
Read more

php cli reading files and how to fix it? -

while using php cli in ubuntu got apache web server cant read file can while using in browser. , error shows nothing , next used code testing purposes : <? $handle = fopen("testfile.txt", "r"); if ($handle) { while (($buffer = fgets($handle, 4096)) !== false) { echo $buffer; } if (!feof($handle)) { echo "error: unexpected fgets() fail\n"; } if(!is_readable($handle) { die("not readable"); } fclose($handle); } ?> how fix ? edit : after removing '@' before fopen got following error fopen(testfile.txt): failed open stream: no such file or directory in /var/www/log/ka.php on line 2 when run script through cli, uses shell's working directory, in opposition file's directory (which apache hands current directory). important you, since fopen call depends on relative path; , relative paths resolved relatively working directory, not script. to have script behave apache, eit...
Read more