On 06 January 2003 17:50, Pinto, Ed wrote:
> I guess I'm somewhat confused about two commonly used terms - salt and
> nonce. What you refer to as "random salt" I've always thought as a
nonce
> ("number used once"). To me, the term salt has always represented a
> randomly generated, but persisted set of bytes that are used to make
> dictionary attacks impractical. Using my definition of salt, here is
my
> question in a little more detail.
My impression was that the salt is merely used to ensure that the same
password will result in different bytes. For example, if it were not
used in /etc/passwd then I would be able to see other people with the
same password as me because the data stored in the password file would
be identical. The salt value is very likely to be different so the data
would be even for the same password.
In your example, K+S is equivalent to the /etc/passwd entry so that buys
you the fact that you don't need to store the password in the clear. The
nonce N handles reducing the replay window. Essentially, then, you're
mixing the solution to two problems to arrive at your algorithm. That
seems fair.
Adrian.
You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced
DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
