worth it's salt in security

Richard Gaskin ambassador at fourthworld.com
Thu Jun 7 00:18:12 EDT 2018


Bill Prothero wrote:

 > On Jun 6, 2018, at 7:32 PM, Richard Gaskin wrote:
 >> Are we talking about hashing or encrypting?
 >
 > Richard,
 > I’m talking about using the LC encrypt command, with aes-256
 > encryption.

Thanks. The mention of passwords in this discussion threw me.


 > I’m trying to figure out how the “salt” works, because
 > my php code sends me a warning that I am not using a salt,
 > or IV to encrypt the sql query. I bought Andre Garza’s database
 > software and have modified it pretty extensively. But, I’ve use his
 > encryption implementation. His code doesn’t use a salt in his
 > encryption implementation. So, I’m trying to get some info on how
 > to implement the salt, and I haven’t had much luck with google.
 > It seems to be one of those things where the experts are speaking
 > a different language, one I don’t understand. Perhaps it’s so trivial
 > that I’m missing the mark utterly.

A salt is any random set of bytes.  I would imagine LC's randomBytes 
function would do the trick, or even UUID("random") may suffice.


 > If the salt is included in the encrypted text, doesn’t that enable
 > anyone who intercepts it to decrypt it more easily, invalidating
 > the purpose of using the salt in the first place.
 >
 > Or, if the server decrypting the text uses a standard, but secret,
 > salt that is known by both parties, it seems more reasonable to me.

The salt isn't a second password, just a way to produce unique output to 
slow down cracking.

Kee's post on salting passwords covers the benefits:
http://lists.runrev.com/pipermail/use-livecode/2018-June/247634.html

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com




More information about the Use-livecode mailing list