worth it's salt in security

prothero at earthlearningsolutions.org prothero at earthlearningsolutions.org
Wed Jun 6 22:12:59 EDT 2018


Brian, 
This, accidentally, didn’t go to the list. Sorry.

Thanks for your reply. I will look into the OpenSSL utility. But, from what I can figure, it seems that the decode process extracts the salt from the encrypted password. And for me, I’m encrypting a MySQL query, so I assume it will be the same. I’m not on my computer for a week or so now, but I think I’m far enough along to solve this by diddling with the php.

Best,
Bill

William Prothero
http://earthlearningsolutions.org

> On Jun 6, 2018, at 6:44 PM, Brian Milby <brian at milby7.com> wrote:
> 
> From the dictionary:
> 
> The password and salt value are combined and scrambled to form the key and IV which are used as described above. The key derivation process is the same as that used in the openSSL utility. A 16-byte salt prefix is prepended to the encrypted data, based on the salt value. This is used in decryption. If no salt value is specified for a password, one is randomly generated. The use of a randomized salt value is a protection against dictionary attacks.
> 
> I have not tried this yet though. One point is that it is either key and IV or password and salt.
>> On Jun 6, 2018, 6:50 PM -0500, prothero--- via use-livecode <use-livecode at lists.runrev.com>, wrote:
>> Kee,
>> So does the decrypt need the salt somehow? Or does it get it from the stuff that is encrypted with the salt? That is, when I encrypt “with salt my salt” does the decode function somehow get the salt from the encoded data, because it has the “key”?
>> 
>> Btw, thanks for responding,
>> Bill
>> 
>> William Prothero
>> http://earthlearningsolutions.org
>> 
>>> On Jun 6, 2018, at 3:48 PM, kee nethery via use-livecode <use-livecode at lists.runrev.com> wrote:
>>> 
>>> There is a bunch of basic info on the use of a salt on the web. The wikipedia article is a good start. It depends upon where and how you are using it. Mostly they discuss using a salt with a hash function. They recommend a long salt. They recommend storing the salt with the hashed password.
>>> 
>>> User enters their name and password. You look up the salt for their name. You hash the password they provided using the salt you have stored for them. You compare the hash with the hash you had stored. If they match, bingo.
>>> 
>>> The salt eliminates the ability for a hacker to use a rainbow table. It is trivial to buy a CD of all hashes for all possible password that are 1 to 14 characters in length. Take a hash, look it up on the CD, and it displays the original password that created that hash.
>>> 
>>> Now … if you use a salt, your hash for that password will not match the hash for that password in the rainbow table on the CD. If you have a 32 character salt that is different for each password, assuming lower and upper case ascii and numbers (26 + 26 + 10 = 62) the number of possible salts for a 32 char salt is 62^32. To pre-compute rainbow table for each 14 char possible password would mean 2.27 * 10^57 rainbow tables. Just isn’t practical. So they would have to snag your password table, see the salts for each password, create a rainbow table for that salt, then do a lookup to see if the hash you stored is in the rainbow table. if yes, they know the users password. For the next password, new rainbow table.
>>> 
>>> So for a password hash, use a 32 char salt, and store the salt along with the password hash, and toss the password, don’t store it.
>>> 
>>> Kee
>>> 
>>>> On Jun 6, 2018, at 2:52 PM, prothero--- via use-livecode <use-livecode at lists.runrev.com> wrote:
>>>> 
>>>> I’m in LC 9.0.0 and Encryption is discussed, and the code is shown to set a salt. However, the docs say it’s beyond the scope of the docs to explain how to choose a salt. For example, how many characters need to be in a salt. Are any characters permissible? Are all character formats permissible? There is no guidance on what makes an acceptable salt.
>>>> 
>>>> Best,
>>>> Bill
>>>> 
>>>> William Prothero
>>>> http://earthlearningsolutions.org
>>>> 
>>>>> On Jun 6, 2018, at 2:40 PM, Bob Sneidar via use-livecode <use-livecode at lists.runrev.com> wrote:
>>>>> 
>>>>> The encrypt command in the dictionary has that info.
>>>>> 
>>>>> Bob S
>>>>> 
>>>>> 
>>>>>> On Jun 6, 2018, at 14:16 , prothero--- via use-livecode <use-livecode at lists.runrev.com> wrote:
>>>>>> 
>>>>>> I’ve been having questions about aes 256 encryption lately. I encrypt MySQL queries and data ,(in livecode) before sending it to a php script on my remote server. The php version returns a warning message that I am not using a salt, which reduces security. Ok, but I can’t find info about how to create and use salts. What are the parameters needed to make a salt, and do I have to do anything to my decode script in php to make it recognize the salt?
>>>>>> 
>>>>>> It would be wonderful if there was a sample code for this.
>>>>>> 
>>>>>> Best,
>>>>>> Bill
>>>>>> 
>>>>>> William Prothero
>>>>>> http://earthlearningsolutions.org



More information about the use-livecode mailing list