On Tue, May 06, 2008 at 04:52:31AM -0400, Faramir wrote: [snip Sven Radde's explanations about the salt] > Excellent explanation, thanks. But I still miss the point about the > salt number doesn't need to be kept secret... I mean: if the salt value > is not known to the program that must validate the password, then it > can't validate it (since the hash produced by the password will never > match the "salted" stored hash). That means the salt used must be stored > somewhere... and if I get the stored hash, and the salt, I would just > need to generate the rainbow tables adding the salt value I got... Wait, > I think I am beginning to get the point... since the salt is random, I > figure each user will have his own salt value... and that would mean I > would have to generate 1 rainbow table for each user... but then, I > would rather try to crack an admin password, and then reset the > passwords of the users...
It seems that you are missing another important point about the salt - it is generated randomly each and every time something needs to be encrypted :) There is no such thing as "the salt value for this user"; every time this user wants to hash a password, the system generates a random salt value and hashes this particular password, just this once, with this value. Hope that helps :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be.
pgpcayCNkaLrY.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
