In cryptography, salt is a randomly chosen string of characters that is appended to a given plaintext before it is further processed (e.g., entered into a hash function) to increase the entropy of the input. It is widely used for storing and transmitting passwords to increase information security.
Passwords are not stored directly, but are hashed when an account is created, and the hash is stored in the database containing user data. When a user logs in, their password is hashed and compared to the stored hash to authenticate the user. Cryptographic hash functions such as BLAKE or SHA-2 are collision-resistant, i.e. they almost certainly generate different hash values from different inputs. The likelihood that different passwords will result in the same hash value can be neglected, and thus one can only log in with the correct password.
However, this also means that you can conclude with a high degree of certainty that the respective passwords are the same from the match between two hashes, and an attacker can try to find the passwords by trial and error. If you know the hashes from a user database and also know which hash function was used, you can hash possible passwords on a trial basis and compare them with the hashes of the database, for example in the form of a dictionary attack. He only needs to hash each sample password once to see if any of the users have chosen that password. The knowledge of password hashes of many users thus multiplies the chances of success. By using powerful parallel hardware (often GPGPU) and optimized algorithms, one can typically hash many millions of sample passwords per second.
---
In addition, many hash algorithms already have so-called rainbow tables, which relate a set of possible passwords (e.g. all words in a dictionary) to hash values. If a given hash value of a password comes from this set, this password can be found much faster than by systematically trying out all passwords. There are two techniques to improve this situation: on the one hand, the use of salt (and possibly also Pepper) and on the other hand, password hash functions, which require much more effort per hash calculation to slow down attacks compared to the functions optimized for efficiency, such as SHA-2.
It is common practice to add salts to passwords. A password is no longer hashed directly, but is entered into the hash function together with the salt. The salt is usually randomly generated for each user when they create an account and is stored in the database along with the hash value and the rest of the user data.
Even the use of a constant salt (the same for all users) would prevent the use of the rainbow tables prepared for known hash functions, because the salt makes the mapping of the passwords to the hash values different. In principle, you could create rainbow tables for password-salt combinations, but with a large enough number of possible salts, this is completely impractical. However, it is still possible to systematically try out the passwords, since an attacker who can access the database content usually also finds out the salt. However, since a separate salt is generated for each user, a hash value calculated from the sample password and salt is only valid for this user. Each sample password must be rehashed for each user.
What is Pepper?
To further complicate dictionary and brute force attacks, in addition to the salt, the password can be combined with a string chosen and kept secret when setting up the server to calculate the hash value. This string is called Pepper and is usually the same for all passwords on a server. By choosing the pepper differently for each password, security can be further increased. The difference between salt and pepper is that the pepper is not stored in the same database as the hash value, but is stored in a different and as secure a place as possible. If an attacker only gains access to the database (e.g. via SQL injection), he/she still learns the hash values, but these now come from combinations of password and an unknown pepper. A dictionary attack is pointless because a dictionary is unlikely to accidentally contain any of the password-pepper combinations. A brute force attack is also drastically made more difficult, because you don’t just have to try out the passwords, but the combinations of password and pepper.
It is often recommended to use an HMAC to store password (there as a secret key).
What is Password Hash Functions?
There are hash functions specifically designed for hashing passwords, such as bcrypt, scrypt, and Argon2. These allow the hash effort to be adjusted in order to burden the attacker with the higher effort when trying out the possible passwords. This is the same principle as with key stretching. If, compared to a normal cryptographic hash function such as SHA-2, the effort required for hashing is increased by a factor of n, then the attacker also has to spend n times the time for each password, i.e. he can try fewer passwords in a given time by a factor of n and has correspondingly lower chances of success. Hashing with, for example, SHA-2 takes less than 10−6 seconds on a modern computer, and n can therefore often be selected larger than 1000, depending on the expected frequency of the server and the available computing power.
The state of the art for this purpose is Argon2, which has also been designed to make the use of specially developed hardware (ASICs) more difficult. The user can determine not only the amount of time required, but also the amount of memory used and the parallelism (number of processor cores used).
Salt Vs Nounce
A nonce and the padding are very similar to a salt, in that they are also strings that are not evaluated in the program or algorithm or are used in a different way than simply appending them to another string. The difference lies in the purpose and exact application of these strings.
While a salt is used in passwords to increase entropy, nonce and padding are used in encryption algorithms. The nonce serves to ensure the “uniqueness” of a plaintext, so that despite the algorithm’s determined procedure, the ciphertext generated differs if the same plaintext is encrypted several times. Thus, the nonce should also be as random as possible.
Padding, on the other hand, usually does not necessarily have to meet the criterion of randomness and is usually used to make it more difficult to determine the length of a plain and cipher text, or to increase the length to the block length.
Problems With Salt
For example, if a procedure only produces 1000 different salts due to a programming error or a faulty implementation, creating a rainbow table can still be worthwhile. Such cases are referred to as “weak” salts. One such method is the cached credentials. The username is used as salt. Rainbow tables can therefore still be created for widely used usernames, e.g. administrator.
Against brute force attacks or dictionary attacks, in which various inputs are checked to see whether they match the hash value, a salt does not have a security-enhancing effect. For this purpose, computationally complex calculations have to be interposed (key stretching), the purpose of which is to slow down a trial and error to the point of practical uselessness.
Tagged With planetne