worth it's salt in security

prothero at earthlearningsolutions.org prothero at earthlearningsolutions.org
Thu Jun 7 11:01:42 EDT 2018


Folks,
What I get out of this is, for password protection, you use hashed encryption where you don’t need to return the original password. Only the hashed password is used to validate the login.

However, if you need to recover the original encrypted text, like for an sql query that you sent to your remote server, you need to use a different encryption method, that can be reversed.

Right?
Bill

William Prothero
http://earthlearningsolutions.org

> On Jun 7, 2018, at 7:51 AM, Brian Milby via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> If you strip the first 16 bytes then you must provide the salt to decrypt. If you leave the salt, then you just need the password to decrypt.
>> On Jun 7, 2018, 9:45 AM -0500, Bob Sneidar via use-livecode <use-livecode at lists.runrev.com>, wrote:
>> Okay I think I get it. I noticed the beginning of the hash contained "Salted__" but I didn't know why! Are you saying I can strip that along with the next 8 bytes, and the hash will be intact, and I can decrypt it without the salt??
>> 
>> Bob S
>> 
>> 
>>> On Jun 6, 2018, at 21:06 , Brian Milby via use-livecode <use-livecode at lists.runrev.com> wrote:
>>> 
>>> If you are using a known salt, then I would say it makes sense to strip it. It would make it easier to decrypt if included, but still not easy to break a cipher that isn’t already cracked.
>>> 
>>> Since only 8 bytes of the salt are unique/used, it may be better to generate your own key instead of using the built in password and salt, but I’m not a security expert.
>>> 
>>> If you are just using a password, then a random salt is added. That means that each encrypted message (even if the message and password is the same) will be unique.
>>>> On Jun 6, 2018, 10:38 PM -0500, prothero--- via use-livecode <use-livecode at lists.runrev.com>, wrote:
>>>> Hmmm....
>>>> If the salt is included in the encrypted text, doesn’t that enable anyone who intercepts it to decrypt it more easily, invalidating the purpose of using the salt in the first place.
>>>> 
>>>> Or, if the server decrypting the text uses a standard, but secret, salt that is known by both parties, it seems more reasonable to me.
>>>> 
>>>> Sorry if I’m being dense.
>>>> Bill
>>>> 
>>>> William Prothero
>>>> http://earthlearningsolutions.org
>>>> 
>>>>> On Jun 6, 2018, at 7:56 PM, Brian Milby via use-livecode <use-livecode at lists.runrev.com> wrote:
>>>>> 
>>>>> I’m not sure what the original thread was using the salt for but the initial post in this one was more about hashing. The question about encryption was introduced so I answered that.
>>>>> 
>>>>> For encryption, it looks like there is only an effective 8 byte salt (the first 8 are static - “Salted__”). Specifying more than 8 bytes does not change the resulting encrypted text.
>>>>> 
>>>>> Since LC does include the salt, it does not need to be separately provided to decrypt. If you strip the salt (first 16 bytes), then you must supply the salt to decrypt. Providing the salt without stripping it from the encrypted text did not pose a problem in my test.
>>>>>>> On Jun 6, 2018, 9:32 PM -0500, Richard Gaskin via use-livecode <use-livecode at lists.runrev.com>, wrote:
>>>>>>> Brian Milby wrote:
>>>>>>> From the dictionary:
>>>>>>> 
>>>>>>> The password and salt value are combined and scrambled to form the key
>>>>>>> and IV which are used as described above. The key derivation process
>>>>>>> is the same as that used in the openSSL utility. A 16-byte salt prefix
>>>>>>> is prepended to the encrypted data, based on the salt value. This is
>>>>>>> used in decryption.
>>>>>> 
>>>>>> "decryption"?
>>>>>> 
>>>>>> Are we talking about hashing or encrypting?
>>>>>> 
>>>>>> --
>>>>>> Richard Gaskin
>>>>>> Fourth World Systems
>>>>>> Software Design and Development for the Desktop, Mobile, and the Web
>>>>>> ____________________________________________________________________
>>>>>> Ambassador at FourthWorld.com http://www.FourthWorld.com
>>>>>> 
>>>>>> _______________________________________________
>>>>>> use-livecode mailing list
>>>>>> use-livecode at lists.runrev.com
>>>>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>>> _______________________________________________
>>>>> use-livecode mailing list
>>>>> use-livecode at lists.runrev.com
>>>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>> 
>>>> 
>>>> _______________________________________________
>>>> use-livecode mailing list
>>>> use-livecode at lists.runrev.com
>>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list