worth it's salt in security

prothero at earthlearningsolutions.org prothero at earthlearningsolutions.org
Wed Jun 6 23:37:34 EDT 2018 

Hmmm....
If the salt is included in the encrypted text, doesn’t that enable anyone who intercepts it to decrypt it more easily, invalidating the purpose of using the salt in the first place.

Or, if the server decrypting the text uses a standard, but secret, salt that is known by both parties, it seems more reasonable to me.

Sorry if I’m being dense.
Bill

William Prothero
http://earthlearningsolutions.org

> On Jun 6, 2018, at 7:56 PM, Brian Milby via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> I’m not sure what the original thread was using the salt for but the initial post in this one was more about hashing. The question about encryption was introduced so I answered that.
> 
> For encryption, it looks like there is only an effective 8 byte salt (the first 8 are static - “Salted__”). Specifying more than 8 bytes does not change the resulting encrypted text.
> 
> Since LC does include the salt, it does not need to be separately provided to decrypt. If you strip the salt (first 16 bytes), then you must supply the salt to decrypt. Providing the salt without stripping it from the encrypted text did not pose a problem in my test.
>> On Jun 6, 2018, 9:32 PM -0500, Richard Gaskin via use-livecode <use-livecode at lists.runrev.com>, wrote:
>> Brian Milby wrote:
>>> From the dictionary:
>>> 
>>> The password and salt value are combined and scrambled to form the key
>>> and IV which are used as described above. The key derivation process
>>> is the same as that used in the openSSL utility. A 16-byte salt prefix
>>> is prepended to the encrypted data, based on the salt value. This is
>>> used in decryption.
>> 
>> "decryption"?
>> 
>> Are we talking about hashing or encrypting?
>> 
>> --
>> Richard Gaskin
>> Fourth World Systems
>> Software Design and Development for the Desktop, Mobile, and the Web
>> ____________________________________________________________________
>> Ambassador at FourthWorld.com http://www.FourthWorld.com
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list