Re: [WEB SECURITY] Salt Storage - web.config or database?

["Andy Steingruebl" <steingra@xxxxxxxxx>]

On Jan 17, 2008 9:09 AM, Andres Andreu <andres@xxxxxxxxxxxxx> wrote:
>
> On the subject of storing salt's for use with hashes please understand that
> the protection of the salt is critical. The LDAP model is now exploitable
> and we recently released a proof of concept cracker for LDAP salted hashes.
> It cover the majority of the SHA family of algorithms (up to SHA512) as
> currently used in major LDAP implementations. The point is that since the
> salt is available attacks become all too possible once the structure of the
> resulting hash is understood. Even if the salt is saved in a separate DB
> field or even table you must ensure it is not exposed via sqli or anything
> of that nature.

The hashes used weren't intended to be HMACs, they were intended to
defeat rainbow tables and/or standard brute forcing against large hash
databases.  Unix password fields traditionally included the salt as
the first two characters of the hashed password value.

Are you simply saying that this isn't an HMAC with a secret key?  They
weren't intended to be...

-- 
Andy Steingruebl
steingra@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]