choice of saltOct 31 2007 01:08PM SecFocus subscriber Dave Aronson (secfocus2dave davearonson com) (1 replies)
Sébastien Barbieri [mailto:sebastien.barbieri (at) gmail (dot) com [email concealed]] writes:
> The "salt" used in the crypt is the 2 first letter of the crypted pass:
I'm no crypo-guru, but that doesn't seem worthwhile to me. It just makes a minor alteration in the algorithm, rather than adding any further data-based entropy. Tables can still be generated and compared with just a tiny bit more effort than if it were unsalted, as opposed to the complete table-ruining of adding more data.
Given that this technique is used in circumstances where there is a username available for additional data, wouldn't it make more sense to use that as the salt? An attacker would have to generate a separate table for each user (though some could be reused across systems, where the same usernames exist). Isn't that the purpose of salt? Or am I completely misgrokking the concept?
Thanks,
Dave
--
Dave Aronson
"Specialization is for insects." -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/
> The "salt" used in the crypt is the 2 first letter of the crypted pass:
I'm no crypo-guru, but that doesn't seem worthwhile to me. It just makes a minor alteration in the algorithm, rather than adding any further data-based entropy. Tables can still be generated and compared with just a tiny bit more effort than if it were unsalted, as opposed to the complete table-ruining of adding more data.
Given that this technique is used in circumstances where there is a username available for additional data, wouldn't it make more sense to use that as the salt? An attacker would have to generate a separate table for each user (though some could be reused across systems, where the same usernames exist). Isn't that the purpose of salt? Or am I completely misgrokking the concept?
Thanks,
Dave
--
Dave Aronson
"Specialization is for insects." -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/
[ reply ]