Re: Newbie Salt and Pass Phrase Question.



Kristian Gjøsteen wrote:
Larry Lindstrom <nobody@xxxxxxxxxxx> wrote:
That makes sense. The salt has to be secret, where can it
be kept so the use has to only remember the pass phrase?

Ah. I generally interpret a salt to be a non-secret value. If you have
good passwords, having a non-secret salt isn't so bad.

If you want it to be secret, then it has to be _secret_. Storing it
somewhere obscure is not good enough. A common strategy is storing
it on a memory stick or something similar. The user inserts the stick
when he wants to access the database and removes it when he is done.
The software shuts down when the memory stick disappears. (The device
can be tied to the users' trousers to enforce this rule...)

Thanks again Kristian:

Don't forget the "Newbie" in the subject line.

The salt for generating PKCS 5 algorithm 2 keys doesn't
need to be secret?

If that's the case, will it be secure to generate one
salt for my application and use the same salt for every
user?

That would solve the problem.

Thanks
.



Relevant Pages

  • Re: Best Way To Randomize/Salt A Text String Before SHA256?
    ... secret, it's safe. ... while a computationally unbounded attacker can't get your ... For information-theoretic security, ... Let C = Fbe a commitment to message m with random salt s. ...
    (sci.crypt)
  • Re: Newbie Salt and Pass Phrase Question.
    ... I generally interpret a salt to be a non-secret value. ... A common strategy is storing ... The software shuts down when the memory stick disappears. ...
    (sci.crypt)
  • Re: Unique Key vs. Initialization Vector ?
    ... >Consider a block cipher in CBC or CFB mode. ... This salt would use information already ... What you're doing is using salt plus the secret ... my suggestion to you is that instead of ...
    (sci.crypt)
  • Re: Perl Script
    ... It won't help if the attacker has access ... Actually, IIRC, you just need a different salt for different users. ... What a salt protects against is someone pre-computing the md5 (or ... One may implement this as a secret salt, the same for all users, as Ted ...
    (comp.lang.perl.misc)
  • Re: Newbie Salt and Pass Phrase Question.
    ... I'll quote the standard on you, ... of a password, a salt, and an iteration count, where the latter ... two quantities need not be kept secret. ... expect non-secret information to be easily storable, ...
    (sci.crypt)