Re: Origin of the term "salt" in computer security
From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 12 May 2003 20:30:45 GMT
]In article <firstname.lastname@example.org>, Scott B. wrote:
]> Brad Rubin wrote:
]>> I put out a challange question to my computer security class asking
]>> them to find the origin for the word "salt" in computer security.
]> Could it be related to the old gold mining claim cheat? Someone
]> considering buying a gold mining claim would be tricked into thinking
]> the ground was richer in gold than it really was. A sample of the
]> dirt would be shoveled into a gold pan, then the seller would "salt
]> the pan" surreptitiously with gold.
]From the horse's mouth, email from Ken Thompson:
]: RE: Etymology of "to salt" in passwords
]: "salting a mine" is placing
]: a small amount of gold in a mine
]: to raise expectations that it
]: is a real gold mine.
The question of course is whether Thompson et al were the first to use
the term in a cryptographic context to represent a public random number
used to make hash 'inversion' more difficult. It is certainly used by
them in their design of crypt(3) from DES.
It is also somewhat obscure to me how you would go from the "salting the
mine" to the use of a salt in crypt(3). It is certainly not used there
to tempt one into believing that the hash is easier to invert than
befor. It is rather an index to point to which of the 4096 different
hash functions which lie under crypt(3) one is actually using. It would
much better be called an index.