salt - 盐渍密码101

Question

有人可以帮我了解加盐的工作原理吗？

到目前为止，我了解以下内容：

1. 验证密码
2. 生成随机字符串
3. 散列密码和随机字符串并将它们连接起来，然后将它们存储在密码字段中......

我们如何存储盐，或者在用户登录时知道它是什么？我们是否将其存储在自己的领域中？如果我们不这样做，应用程序如何确定盐是什么？如果我们确实存储它，它不会破坏整个目的吗？

Answer 1

Salt在散列之前与密码结合。将密码和盐清除值连接起来，并对结果字符串进行哈希处理。这保证了即使两个人使用相同的密码，您也会得到不同的哈希值。（也使得使用彩虹表的字典攻击更加困难）。

The salt is then stored in original/clear format along with the hash result. Then later, when you want to verify the password you would do the original process again. Combine the salt from the record with the password the user provided, hash the result, compare the hash.

You probably already know this. but it's important to remember. the salt must be generated randomly each time. It must be different for each protected hash. Often times the RNG is used to generate the salt.

So..for example:
user-password: "mypassword"
random salt: "abcdefg12345"
resulting-cleartext: "mypassword:abcdefg12345" (how you combine them is up to you. as long as you use the same combination format every time).
hash the resulting cleartext: "somestandardlengthhashbasedonalgorithm"

In your database now you would store the hash and salt used. I've seen it two ways:

method 1:
field1 - salt = "abcdefg12345"
field2 - password_hash = "somestandardlengthhashbasedonalgorithm"

method 2:
field1 - password_hash = "abcdefg12345:somestandardlengthhashbasedonalgorithm"

In either case you have to load the salt and password hash out of your database and redo the hash for comparison

Answer 2

salt <- random
hash <- hash(password + salt)
store hash:salt

之后

input password
look up hash:salt
hash(password+salt)
compare with stored hash

知道了？

Answer 3

How do we store the salt, or know what it is when a user logs in? Do we store it in its own field?

Yes.

And if we do store it, doesn't it defeat the whole purpose?

No. The purpose of a salt is not being secret, but merely to prevent an attacker from amortizing the cost of computing rainbow tables over all sites in the world (not salt) or all users in your site (single salt used for all users).

Answer 4

According to Practical Cryptography (Neils Ferguson and Bruce Schneier), you should use salted, stretched hashes for maximum security.

x[0] := 0
x[i] := h(x[i-1] || p || s)  for i = 1, ..., r
K := x[r]

where
   h is the hash (SHA-1, SHA-256, etc.)
   K is the generated hashed password
   p is the plaintext password
   r is the number of rounds
   s is the randomly generated salt
   || is the concatenation operator

The salt value is a random number that is stored with the encrypted password. It does not need to remain secret.

Stretching is the act of performing the hash multiple times to make it computationally more difficult for a attacker to test many permutations of passwords. r should be chosen so that the computation takes about 200-1000ms on the user's computer. r may need to be increased as computers get faster.

Answer 5

如果您使用的是众所周知的散列算法，那么某人可能拥有一个已经使用该算法散列的许多可能密码的列表，并将该列表中的项目与他们想要破解的散列密码进行比较（字典攻击）。
如果您在散列之前对所有密码进行“加盐”，这些字典将毫无用处，因为它们必须使用您的盐创建。