-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven Radde escribió: > A salt essentially makes precomputed rainbow tables useless. > > A rainbow table consists of two columns, "password" and "hashed > password" and is filled by hashing a great number of passwords. Now, if > you know only the hash of a password, just look it up in the rainbow > table to get the original password. > > If a salt is being used, the hash is not computed as, e.g., > SHA1(password), but rather SHA1(salt+password). The salt is a random > number that does not need to be kept secret. > This way, even if you have a rainbow table for SHA1 ready, and even if > the password is in there, you cannot find it by looking up the hashed > value of the password, as a given password can hash to many different > values, depending on the salt used. > You would have to extend your rainbow table by a third column that > contains salt values, which would tremendously increase the size of the > table. Say, if you want 1 million passwords in your rainbow table, a > table without salt would simply have 1 million entries. With a 64 bit > salt, the table would have to be expanded to 1 million * 2^64 entries, > because you need to take every combination of hash+password into > account. > > HTH, Sven > Excellent explanation, thanks. But I still miss the point about the salt number doesn't need to be kept secret... I mean: if the salt value is not known to the program that must validate the password, then it can't validate it (since the hash produced by the password will never match the "salted" stored hash). That means the salt used must be stored somewhere... and if I get the stored hash, and the salt, I would just need to generate the rainbow tables adding the salt value I got... Wait, I think I am beginning to get the point... since the salt is random, I figure each user will have his own salt value... and that would mean I would have to generate 1 rainbow table for each user... but then, I would rather try to crack an admin password, and then reset the passwords of the users...
I already see the advantage of making pre built rainbow tables useless... but I feel I am missing the main thing.... Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIIBxPAAoJEIISGkVDGUEOLA0H/2jmMvjphVL8VKxFZOKMDw8o aF59ejrTGBVPK8xUulOziXpf43UBvwF8szRAg9NV/LgrO3knGcOviKkCFsP4vQQ8 jqO81YgTLv/JUwqmOTdpPz5wFwJs90GZln0P5X7c5HH3ZVFE1NkMCAYVX0Kd2tM9 9H8LAFCFpKgSrROzjSsZEI6x/dTLgerP/FtTIT/1qQvXCqkN0j7Rj7xn9lf7WAps wIRsC9/aY57nZMwIKgxdDuvqUW9+MOGa5IXgRL4FAA5Yk11y/OLY5JFillt6WonL szsX11I6+5Ats2clUiNfGOwNXGggZE2DwuHBY/kcxdw0wrTBYhwaNplf7hQdHh4= =ut51 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
