On Mon, 29 Oct 2007 14:24:23 -0500 [EMAIL PROTECTED] wrote: > So back in the bad old days when hashing was DES encryption of the > zero vector with a fixed key, someone came up with salt as a password > strengthening mechanism. > > I'm not quite sure why it was called salt. > > It perturbed the S-boxes in DES IIRC, but essentially it was a known > bit of text that was an input to the algorithm that varied between > entries, like an IV does with encryption. > > If there isn't already a term for this, I'm going to call this > general concept "individuation", or possibly "uniquification". > > Nowadays with strong hash algorithms, but rainbow tables and > low-entropy passwords as the threat, I'm wondering what the best > practice is. > > I was thinking of simply prepending a block of text to each passphrase > prior to hashing, and storing it with the hash - similar to salts in > passwd entries. > > It should have at least as much entropy as the hash output, maybe a > little more in case there's collisions. If it were uniformly random, > you could simply XOR it with the passphrase prior to hashing and save > yourself some cycles, right? > > Would it be appropriate to call this salt, an IV, or some new term?
That's an IV. I strongly suggest your read the Ritchie and Thompson paper on the reasons for the salt. While making sure that two identical passwords rarely hashed to the same value, it had another purpose: protecting against hardware attacks. Ritchie and Thompson assumed that there would be generic DES chips; they didn't want those to be used in a password-cracking machine. Accordingly, the salt was used to permute the E-box -- not the S-boxes -- to prevent that. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]