encryption - Block ciphers SALT: clear text or secret? -


There are many articles and quotes on the Web that a 'salt' should be kept secret even on Wikipedia entry :

For the best protection, the value of salt is kept secret, the password is different from the database. It provides a benefit when the database is stolen but not salt. In order to set a password from the stolen hash, an attacker can not try the normal password (such as the word or name of the English language). Rather, they have to count the swans of random characters (at least those who know about input are salt), which is very slow.

Since I know about a fact, encryption salt (or initial vector) is okay to store on clear text with encrypted text, I Is ask?

My idea is that the origin of the problem is a common misconception between encryption salt ( initial vector of block cipher) and hashing 'salt'. It is a common practice to add a common, or 'salt' to the collection of hashed passwords, and this (minor) is true that 'salt' is kept secret, in lieu it does not make salt, But there is a key similar to the very clearly designated Secret . If you added the article to Wikipedia 'salt' entry you will see that this is the kind of 'salt' you are talking about, has a password hash I disagree with most of these plans because I believe that password Storage plans should also be allowed, in this case only the potential storage user name is the Highest Digest: realm: password, see.

If you have any opinion on this issue, please post it as a response here.

  1. Do you think the salt should be hidden for cipher encryption? Explain why and how .
  2. Do you agree that the blanket details 'salts should be hidden' is generated by salted hashing and does not apply to encryption?
  3. Can we include REP ciphers (RC4) in the discussion?

If you are talking about IV, in block cipher, it definitely Should be clear from Most people secretly make their peers weak IV

The fourth should be random, each encryption should be different, it is very difficult to manage a random IV. Some people only use a certain IV, defeating the purpose of IV.

I used to work with a password with a password, which was encrypted with secret IV. The same password is always encrypted with the same cipher text. This rainbow table is very prone to attack.


Comments

Popular posts from this blog

MySql variables and php -

url rewriting - How to implement the returnurl like SO in PHP? -

Which Python client library should I use for CouchdB? -