Re: Hash salt (was Re: BCRYPT - Why not using it?)



On Wed, Apr 06, 2011 at 10:40:58PM -0500, Boyd Stephen Smith Jr. wrote:
In <4D9D1B22.2010608@xxxxxxx>, Ron Johnson wrote:
On 04/06/2011 08:19 PM, Aaron Toponce wrote:
First, if you don't have the salt, but you do have the hash, then a
rainbow table attack is completely pointless.

The OS must store the salt somewhere, in order to correctly authenticate
the user when he logs in. But I've never heard of /etc/hashsalt so what
am I misunderstanding?

The value stored in /etc/shadow is both the salt + the encrypted
salt+password. This allows a process with read access to /etc/shadow to
easily read the shadow, encrypt the salt + provided password, and compare the
result to the encrypted salt+password. The salt is randomly generated each
time the password is set, and it (usually) different for each entry in
/etc/shadow.

So is the salt a fixed number of characters?

Otherwise, how would a process know which portion of the
string is the salt?

Regards,

--
Joel Roth


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: 20110407043738.GA23159@sprite">http://lists.debian.org/20110407043738.GA23159@sprite



Relevant Pages

  • Re: Custom UsernameTokenManager
    ... sender needs to know the salt. ... encrypt it first with server's public key. ... authentication anyway so you can encrypt and sign future messages. ... This salts the pw and username and encrypts/signs everything so no ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Password storage facility exe - how safe is this idea?
    ... phrase of at least 15 characters and a passcode. ... A salt doesn't have to be secret, and should not be created by the user. ... Or, you could always call out to DPAPI, to encrypt the password data using ... they can't just change the pass-phrase in there and use the ...
    (microsoft.public.dotnet.security)
  • Re: my KDF vs dictionary attacks
    ... When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what ... DES is a 64-bit block cipher - 8 bytes at a time. ...
    (sci.crypt)
  • Default AES Salt in ASPNET2 Site
    ... and uses custom AES and SHA1 keys ... in Web.config to encrypt or hash password information. ... The ManagedRinjdael approach uses both a key and a salt in its operation. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: my KDF vs dictionary attacks
    ... When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what ... some encryption systems will give a larger output if the input is larger than a certain criteria, for example, twofish will encrypt a 5 character string into a 32 character output string, ...
    (sci.crypt)