Re: Importance of salt

From: Valery Pryamikov (valery_at_harper.no)
Date: 09/17/05 

Date: Sat, 17 Sep 2005 10:36:29 +0200

Hi,
Dominick and William have already gave you some answers, so here is just
some additional info for you.
you can check my older blog post:
http://www.harper.no/valery/PermaLink,guid,ea26f2f0-31f7-4707-89eb-191940d5bf63.aspx
where I discuss differences and relations and between salts and IV.

About passwords in cryptography - there are tons of resources, you can start
with http://www.google.com/search?hl=en&q=passwords+site%3Arsasecurity.com

and if you want latest and best mathematical treatment of passwords - here
some recent papers on subject from several best experts in the field:

Passwords and Offline Guessing Attacks.
O. Goldreich and Y. Lindell, "Session Key Generation using Human
Passwords Only." Extended abstract in Proc. of Crypto 2001,
pp. 408-32, 2001.
J. Katz, R. Ostrovsky, and M. Yung, "Efficient and Secure
Authenticated Key Exchange Using Weak Passwords." Extended abstract
in Proc. of Eurocrypt 2001, pp. 475-94, 2001.
R. Gennaro and Y. Lindell, "A Framework for Password-Based
Authenticated Key Exchange." Extended abstract in Proc. of Eurocrypt
2003, pp. 524-43, 2003.
The full online versions are:
    http://www.wisdom.weizmann.ac.il/~oded/PS/passwd3.ps
    http://www.cs.umd.edu/~jkatz/papers/password.pdf
    http://www.cs.biu.ac.il/~lindell/PAPERS/hash-password.ps

-Valery.
http://www.harper.no/valery

<vla10d@gmail.com> wrote in message
news:1126788688.707781.115640@g43g2000cwa.googlegroups.com...
> Hello,
>
> I have one question regarding the importance of salt in encryption.
>
> As I understand, the salt is used to prevent dictionary attacks. Also,
> it is recommended that the salt isn't always the same, and that it
> should be randomly generated for each message. This random salt should
> then be stored in the encrypted message, as a prefix for example, so
> that it could be retrieved during the decryption.
>
> Now, I don't understand how this helps with dictionary attacks? For
> example, if the attacker knows that the first 8 bytes for example are
> salt, can't he simply modify his attacking program to include that salt
> for each word he retrieves from the dictionary? The assumption here is
> that the attacker gets access to the original encryption software as
> well as the message.
>
> Secondly, can someone explain how do the increased interations in
> PasswordDeriveBytes help?
>
> Thanks for your help,
>
> V.
>

Relevant Pages

  • Re: Importance of salt
    ... Dominick Baier - DevelopMentor ... > About passwords in cryptography - there are tons of resources, ... >> I have one question regarding the importance of salt in encryption. ... the salt is used to prevent dictionary attacks. ...
    (microsoft.public.dotnet.security)
  • Re: Any GIMP users (Linux)
    ... Microsoft didn't even get the basics right, like adding salt to ... password hashes to thwart rainbow table attacks, ... What leads you to believe that this technique "thwarts rainbow ... truly random sequences as passwords and use passwords of reasonable length ...
    (rec.photo.digital)
  • Importance of salt
    ... I have one question regarding the importance of salt in encryption. ... the salt is used to prevent dictionary attacks. ...
    (microsoft.public.dotnet.security)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • RE: Whitespace in passwords - now alt+xxx
    ... Subject: Whitespace in passwords ... 60 possible characters and the password is 7 characters long. ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ...
    (Pen-Test)