worth it's salt in security
Richard Gaskin
ambassador at fourthworld.com
Thu Jun 7 00:18:12 EDT 2018
Bill Prothero wrote:
> On Jun 6, 2018, at 7:32 PM, Richard Gaskin wrote:
>> Are we talking about hashing or encrypting?
>
> Richard,
> I’m talking about using the LC encrypt command, with aes-256
> encryption.
Thanks. The mention of passwords in this discussion threw me.
> I’m trying to figure out how the “salt” works, because
> my php code sends me a warning that I am not using a salt,
> or IV to encrypt the sql query. I bought Andre Garza’s database
> software and have modified it pretty extensively. But, I’ve use his
> encryption implementation. His code doesn’t use a salt in his
> encryption implementation. So, I’m trying to get some info on how
> to implement the salt, and I haven’t had much luck with google.
> It seems to be one of those things where the experts are speaking
> a different language, one I don’t understand. Perhaps it’s so trivial
> that I’m missing the mark utterly.
A salt is any random set of bytes. I would imagine LC's randomBytes
function would do the trick, or even UUID("random") may suffice.
> If the salt is included in the encrypted text, doesn’t that enable
> anyone who intercepts it to decrypt it more easily, invalidating
> the purpose of using the salt in the first place.
>
> Or, if the server decrypting the text uses a standard, but secret,
> salt that is known by both parties, it seems more reasonable to me.
The salt isn't a second password, just a way to produce unique output to
slow down cracking.
Kee's post on salting passwords covers the benefits:
http://lists.runrev.com/pipermail/use-livecode/2018-June/247634.html
--
Richard Gaskin
Fourth World Systems
Software Design and Development for the Desktop, Mobile, and the Web
____________________________________________________________________
Ambassador at FourthWorld.com http://www.FourthWorld.com
More information about the use-livecode
mailing list