Salt (cryptography)

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" a password or passphrase. Salts are closely related to the concept of nonce. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.

A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after Key stretching) are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking the plaintext password in the event that the authentication data store is compromised.

Since salts do not have to be memorized by humans they can make the size of the rainbow table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those who use the same password on several sites, by making all salted hash instances for the same password different from each other.

Cryptographic salts are broadly used in many modern computer systems, from Unix system credentials to Internet security.

Unix implementations

1970s-1980s

Earlier versions of Unix used a password file (/etc/passwd) to store the hashes of salted passwords (passwords prefixed with two-character random salts). In these older versions of Unix, the salt was also stored in the passwd file (as cleartext) together with the hash of the salted password. The password file was publicly readable for all users of the system. This was necessary so that user-privileged software tools could find user names and other information. The security of passwords is therefore protected only by the one-way functions (enciphering or hashing) used for the purpose. Early Unix implementations limited passwords to 8 characters and used a 12-bit salt, which allowed for 4,096 possible salt values. This was an appropriate balance for 1970s computational and storage costs.

1980s-

The shadow password system is used to limit access to hashes and salt. The salt is 8 characters, the hash is 86 characters, and the password length is unlimited.

Web application implementations

It is common for a web application to store in a database the hash value of a user's password. Without a salt, a successful SQL injection attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security.^[1] Some additional references for using a salt to secure password hashes in specific languages (PHP, .NET, etc.) can be found in the external links section below.

Benefits

A public salt makes it more time-consuming to crack a list of passwords. However, it does not make dictionary attacks harder when cracking a single password. The attacker has access to both the hashed password and the salt, so when running the dictionary attack, the attacker can simply use the known salt when attempting to crack the password.

To understand the difference between cracking a single password and a set of them, consider a single password file that contains hundreds of usernames and passwords. Without a salt, an attacker could compute hash(attempt[0]), and then check whether that hash appears anywhere in the file. The likelihood of a match, i.e. cracking one of the passwords with that attempt, increases with the number of passwords in the file. If salts are present, then the attacker would have to compute hash(salt[a], attempt[0]), compare against entry A, then hash(salt[b], attempt[0]), compare against entry B, and so on. This defeats "reusing" hashes in attempts to crack multiple passwords.

Salts also combat the use of hash tables and rainbow tables for cracking passwords. A hash table is a large list of pre-computed hashes for commonly used passwords. For a password file without salts, an attacker can go through each entry and look up the hashed password in the hash table or rainbow table. If the look-up is considerably faster than the hash function (which it often is), this will considerably speed up cracking the file. However, if the password file is salted, then the hash table or rainbow table would have to contain "salt . password" pre-hashed. If the salt is long enough and sufficiently random, this is very unlikely. Unsalted passwords chosen by humans tend to be vulnerable to dictionary attacks since they have to be both short and meaningful enough to be memorized. Even a small dictionary (or its hashed equivalent, a hash table) has a significant chance of cracking the most commonly used passwords. Since salts do not have to be memorized by humans they can make the size of the rainbow table required for a successful attack prohibitively large without placing a burden on the users.

(*Comment*: A hash table is a pre-compiled list of commonly used passwords and their hash value equivalents. A Rainbow table is generated using reduction functions. Reduction functions can operate in many ways, but a simplified method is to take a random value and generate a hash. The newly generated hash value is taken and a set number of characters are cut off. What remains forms the next password which is rehashed. This is reiterated a set number of times to form a chain of password-hash values. Only the first password and last hash value are kept. A number of reduced chains form a rainbow table. Salts do help to resist rainbow table and hash table methods. Rainbow table section needed. Reference: http://kestas.kuliukas.com/RainbowTables/)

More technically, salts protect against hash tables and rainbow tables as they, in effect, extend the length and potentially the complexity of the password. If the rainbow tables do not have passwords matching the length (e.g. an 8-byte password, and 2-byte salt, is effectively a 10-byte password) and complexity (non-alphanumeric salt increases the complexity of strictly alphanumeric passwords) of the salted password, then the password will not be found. If found, one will have to remove the salt from the password before it can be used.

Additional benefits

The modern shadow password system, in which password hashes and other security data are stored in a non-public file, somewhat mitigates these concerns. However, they remain relevant in multi-server installations which use centralized password management systems to push passwords or password hashes to multiple systems. In such installations, the root account on each individual system may be treated as less trusted than the administrators of the centralized password system, so it remains worthwhile to ensure that the security of the password hashing algorithm, including the generation of unique salt values, is adequate.

Salts also make dictionary attacks and brute-force attacks for cracking large numbers of passwords much slower (but not in the case of cracking just one password). Without salts, an attacker who is cracking many passwords at the same time only needs to hash each password guess once, and compare it to all the hashes. However, with salts, each password will likely have a different salt; so each guess would have to be hashed separately and compared for each salt, which is considerably slower than comparing the same single hash to every password.

Another (lesser) benefit of a salt is as follows: two users might choose the same string as their password, or the same user might choose to use the same password on two machines. Without a salt, this password would be stored as the same hash string in the password file. This would disclose the fact that the two accounts have the same password, allowing anyone who knows one of the account's passwords to access the other account. By salting the passwords with two random characters, even if two accounts use the same password, no one can discover this just by reading hashes.

References

↑ "ISC Diary – Hashing Passwords". Dshield.org. Retrieved 2011-10-15.

External links

Morris, Robert; Thompson, Ken (1978-04-03). "Password Security: A Case History". Murray Hill, NJ, USA: Bell Laboratories.
Wille, Christoph (2004-01-05). "Storing Passwords - done right!".
OWASP Cryptographic Cheat Sheet
how to encrypt user passwords

Cryptographic hash functions & message authentication codes

List Comparison Known attacks

Common functions	MD5 SHA-1 SHA-2 SHA-3 BLAKE2

SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)

Other functions	ECOH FSB GOST HAS-160 HAVAL Kupyna LM hash MD2 MD4 MD5 MD6 MDC-2 N-Hash RIPEMD RadioGatún SWIFFT SipHash Snefru Streebog Tiger VSH WHIRLPOOL

Key derivation functions	bcrypt crypt PBKDF2 scrypt Argon2

MAC functions	DAA CBC-MAC HMAC OMAC/CMAC PMAC VMAC UMAC Poly1305

Authenticated encryption modes	CCM CWC EAX GCM IAPM OCB

Attacks	Collision attack Preimage attack Birthday attack Brute force attack Rainbow table Side-channel attack Length extension attack

Design	Avalanche effect Hash collision Merkle–Damgård construction

Standardization	CRYPTREC NESSIE NIST hash function competition

Utilization	Hash-based cryptography Key stretching Merkle tree Message authentication Proof of work Salt

Cryptography

History of cryptography Cryptanalysis Outline of cryptography

Symmetric-key algorithm Block cipher Stream cipher Public-key cryptography Cryptographic hash function Message authentication code Random numbers Steganography

Category Portal WikiProject

This article is issued from Wikipedia - version of the 10/4/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.