Very Secure Password Hashing using unknown salts.

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Very Secure Password Hashing using unknown salts.

Post by Jonah Bron »

Unless they have the code of course?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Very Secure Password Hashing using unknown salts.

Post by VladSun »

Benjamin wrote:
VladSun wrote:I think rainbow attacks or dictionary attacks are useless (or at least very hard to apply) for salted hashes even if the salt is known.
What makes you say this?
Both dictionary attacks (I'm not talking about bruteforce dictionary attacks which may be/are very SLOW) and ranbow attacks have precalculated tables of values. When salt is used, these table values do not match anymore.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Very Secure Password Hashing using unknown salts.

Post by VladSun »

Jonah Bron wrote:Unless they have the code of course?
Considering "not having the code" (which is an obscure method IMHO) something like this will be much easier amd stronger:
[syntax]hash(crypt(salt+password))[/syntax]
where crypt is a encrypting function.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Very Secure Password Hashing using unknown salts.

Post by Benjamin »

Jonah Bron wrote:Unless they have the code of course?
No, even with the code they cannot determine the salt length without knowing the actual length of the password.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Very Secure Password Hashing using unknown salts.

Post by Jonah Bron »

But if they're using a rainbow table, they're guessing, right? So if they guess right, they also guess the salt right (providing they know how the salt is generated). Right?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Very Secure Password Hashing using unknown salts.

Post by Mordred »

On the minus side, you're working from a wrong (security-wise) assumption and you have a "bug" in your code.
On the plus side, the "bug" is a problem only in regards to your assumption, and since the assumption is wrong, the bug has no negative consequences (as far as I can see)
After the bottom line, what you do is secure enough, even if it doesn't add anything useful to the security properties of a salted password.

Details:

The assumption that a salt that is kept (albeit transformed) in the database can be a "secret" is wrong. Everything you need to check if "123456" is a password is in the database, even if it's moved around a bit.

The "bug" is that the left/right pieces are not so "secret". The sum of their lengths (L) is a fixed value, dependent on the hash function being used. For whirlpool, it's 21 hex digits, for sha256 it's 10, for sha1 it's 6, for md5 it's 5. To retrieve the left/right pieces of the salt, you simply need L attempts taking the leftmost K hex digits and the rightmost L-K digids. Not that you would need to do it when attacking the hashes, that's why this bug doesn't matter to the overall security.

In the end, what the function does is no different than keeping the salt separately in the database. The difference is actually a bit to the worse, as the salt length is made dependent on the hash function used, instead of the desired password strength as it should be. For example with md5 the salt is only 5 hex digits, 20 bits, the equivalent of about 3.5 mixed cap characters.

I think the confusion came from mixing what the different attacks do:
For stolen database of unsalted hashes, precomputed attack methods (aka rainbow tables, but there are others as well) work well.
For stolen database of salted hashes with in-database salts, dictionary attacks work well. In the edge case of weak salts (as this code would do for md5, sha1, arguably for sha256) precomputed tables would work as well.

If you really want to add security, use multifactor salts (aka salt-and-pepper), I've explained this in an old article (draft) in the security forum:
viewtopic.php?f=34&t=62782

Some elements of the article are not quite correct, for example I would now recommend using HMAC for mixing the password and the salt, but overall it stands.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Very Secure Password Hashing using unknown salts.

Post by Benjamin »

Interesting. I could have sworn I tested the salt lengths. I will need to update that so that the salt lengths are specifically based on the password length, or some other element specific to the password.

On the bright side it's still very secure. If you want to create an updated version feel free to take a crack at it.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Very Secure Password Hashing using unknown salts.

Post by Mordred »

Benjamin wrote:Interesting. I could have sworn I tested the salt lengths. I will need to update that so that the salt lengths are specifically based on the password length, or some other element specific to the password.

On the bright side it's still very secure. If you want to create an updated version feel free to take a crack at it.
Erm, no, you don't have to update it. It makes no difference, as I did (try to) explain. There's absolutely no benefit from using this compared to simply keeping the salt in another column. Plus, for some hashes your salts are weak.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Very Secure Password Hashing using unknown salts.

Post by Benjamin »

How can a known salt not be less secure than an unknown salt? Crack it:

[text]5794bb03a911e3530c17c8547e7cedc277500bae22172e4cc7a470cc5a77b232a97826d109379378ff754f3dc31f1c04d2ae9cadf0c5fb6c0e234e6a7a437246[/text]

If you can't crack this knowing the salt, how do you plan on cracking it without knowing the salt?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Very Secure Password Hashing using unknown salts.

Post by Mordred »

You are still not grokking my overview paragraph on how to attack hashes. Salted hashes, your scheme included, are attacked with a dictionary/bruteforce.
Benjamin wrote:If you can't crack this knowing the salt, how do you plan on cracking it without knowing the salt?
If I can't crack this knowing the salt, it means your password was not in my dictionary, well done. You will note thought that salts are used to prevent attacks against weak passwords; strong passwords are secure even with weak hashing schemes.

If, on the other hand, your password is in my dictionary, I will not worry about the salt at all, I will just call your function for every password in there and it will happily extract the correct salt from the hash (for the correct password, I don't care about the failed attempts).

Note that this will be true no matter what "fixes" you do in the implementation of your function, as such it is no different than just keeping the salt in a separate column, as I already conjectured. The only fixes I would recommend is to increase the salt length (which is a definite problem in your current scheme) and use HMAC.
Post Reply