密码哈希的非随机盐 [英] Non-random salt for password hashes

问题描述

更新：我最近从了解到这个问题，在下面的整个讨论中，我（我相信别人做太）是一个有点混乱：我一直在呼唤一个彩虹表，其实所谓的哈希表。彩虹表是更复杂的生物，并且实际上海尔曼哈希链的变体。虽然我相信答案仍然是相同的（因为它并不归结为密码分析），有些讨论可能会有点歪斜。结果
问题：什么是彩虹表以及如何使用它们

UPDATE: I recently learned from this question that in the entire discussion below, I (and I am sure others did too) was a bit confusing: What I keep calling a rainbow table, is in fact called a hash table. Rainbow tables are more complex creatures, and are actually a variant of Hellman Hash Chains. Though I believe the answer is still the same (since it doesnt come down to cryptanalysis), some of the discussion might be a bit skewed.
The question: "What are rainbow tables and how are they used?"

通常，我总是建议使用加密的强随机值作为盐，用散列函数（例如口令），如防止彩虹表攻击中使用。

Typically, I always recommend using a cryptographically-strong random value as salt, to be used with hash functions (e.g. for passwords), such as to protect against Rainbow Table attacks.

但它实际上是加密必需的盐是随机的？是否有任何独特的价值（独特的每个用户，例如用户id）在这方面就足够了？这实际上将prevent使用单一的彩虹表破解系统中的所有（或大部分）的密码...结果
但熵缺乏真正削弱的散列函数的加密强度？

But is it actually cryptographically necessary for the salt to be random? Would any unique value (unique per user, e.g. userId) suffice in this regard? It would in fact prevent using a single Rainbow Table to crack all (or most) passwords in the system...
But does lack of entropy really weaken the cryptographic strength of the hash functions?

请注意，我不是问为什么要使用盐，如何保护它（它并不需要是），使用单个常量哈希值（不），或者用什么样的散列函数。结果
只是是否需要盐熵与否。

Note, I am not asking about why to use salt, how to protect it (it doesnt need to be), using a single constant hash (don't), or what kind of hash function to use.
Just whether salt needs entropy or not.

感谢所有的答案，到目前为止，但我想专注于我的领域（少许）不太熟悉。主要用于密码分析的意义 - 我最好的AP preciate最如果任何人有从加密的数学POV一些输入结果。
另外，如果有没有被认为是额外的载体，这就是大投入太多（见在多个系统上@戴夫Sherohman点）。结果
除此之外，如果您有任何理论，想法或最佳实践 - 请要么证明，攻击情形或经验证据支持这一行动。甚至可以接受的折衷考虑有效...我熟悉的关于这个问题的最佳实践（资本2资本P），我想证明什么价值这实际上提供了。

Thanks all for the answers so far, but I'd like to focus on the areas I'm (a little) less familiar with. Mainly implications for cryptanalysis - I'd appreciate most if anyone has some input from the crypto-mathematical PoV.
Also, if there are additional vectors that hadn't been considered, thats great input too (see @Dave Sherohman point on multiple systems).
Beyond that, if you have any theory, idea or best practice - please back this up either with proof, attack scenario, or empirical evidence. Or even valid considerations for acceptable trade-offs... I'm familiar with Best Practice (capital B capital P) on the subject, I'd like to prove what value this actually provides.

编辑：这里一些很好的答案，但我觉得作为@戴夫说，它归结为彩虹表共同的用户名...并可能不太常见的名字了。但是，如果我的用户名是全球唯一的？不一定是唯一我的系统，但每个每个用户 - 例如电子邮件地址。结果
就没有动力去建立一个单一的用户RT（@戴夫作为强调，盐不保密），而这将仍然prevent集群。唯一的问题是，我可能有不同的站点相同的电子邮件和密码 - 但盐难道不prevent那反正结果。
因此，它回来到密码分析 - 是熵必要，还是不要？ （我现在的想法是这不是从一个密码分析角度必要的，但它是从其他实际原因。）

Some really good answers here, but I think as @Dave says, it comes down to Rainbow Tables for common user names... and possible less common names too. However, what if my usernames are globally unique? Not necessarily unique for my system, but per each user - e.g. email address.
There would be no incentive to build a RT for a single user (as @Dave emphasized, the salt is not kept secret), and this would still prevent clustering. Only issue would be that I might have the same email and password on a different site - but salt wouldnt prevent that anyway.
So, it comes back down to cryptanalysis - IS the entropy necessary, or not? (My current thinking is it's not necessary from a cryptanalysis point of view, but it is from other practical reasons.)

推荐答案

盐是传统上存储为preFIX的哈希密码。这已经使得它已知的任何攻击者访问密码哈希。使用用户名作为盐或不不影响该知识，因此，它必须在单系统的安全性没有影响

Salt is traditionally stored as a prefix to the hashed password. This already makes it known to any attacker with access to the password hash. Using the username as salt or not does not affect that knowledge and, therefore, it would have no effect on single-system security.

然而，使用用户名或任何其它用户控制的价值盐会降低跨系统的安全性，因为谁对它们使用相同的密码散列算法最终会得到相同的多个系统的用户名和密码的用户每个这些系统的密码哈希。我不认为这是一个显著的责任，因为我作为一个攻击者，首先会尝试危及帐户的其他手段之前尝试的一个目标帐户被知道在其他系统上使用的密码。相同的哈希值只会提前告诉我，已知的密码会的工作，他们不会做出实际的攻击变得更容易。 （但是请注意，该帐户数据库的快速比较将提供的高优先级目标的列表，因为它会告诉我谁是谁不是重复使用的密码。）

However, using the username or any other user-controlled value as salt would reduce cross-system security, as a user who had the same username and password on multiple systems which use the same password hashing algorithm would end up with the same password hash on each of those systems. I do not consider this a significant liability because I, as an attacker, would try passwords that a target account is known to have used on other systems first before attempting any other means of compromising the account. Identical hashes would only tell me in advance that the known password would work, they would not make the actual attack any easier. (Note, though, that a quick comparison of the account databases would provide a list of higher-priority targets, since it would tell me who is and who isn't reusing passwords.)

从这个想法的更大的危险在于，用户名，通常重复使用 - 只要你愿意去参观将有一个名为戴夫的用户帐户，例如任何网站，管理员或根是更为普遍 - 这将使针对这些常见的名字用户更容易，更有效的彩虹表的建设。

The greater danger from this idea is that usernames are commonly reused - just about any site you care to visit will have a user account named "Dave", for example, and "admin" or "root" are even more common - which would make construction of rainbow tables targeting users with those common names much easier and more effective.

这两个缺陷可以通过添加第二个盐值（固定和隐藏或暴露像标准的盐）散列之前将其密码得到有效解决，但是，在这一点上，你可能也只是使用标准熵无论如何盐，而不是工作的用户名进去。

Both of these flaws could be effectively addressed by adding a second salt value (either fixed and hidden or exposed like standard salt) to the password before hashing it, but, at that point, you may as well just be using standard entropic salt anyhow instead of working the username into it.

编辑补充：很多人都在谈论熵和熵是否盐是很重要的。它是，但不是大多数它的意见似乎认为的原因。

Edited to Add: A lot of people are talking about entropy and whether entropy in salt is important. It is, but not for the reason most of the comments on it seem to think.

的一般想法似乎是，熵很重要，这样的盐将是困难的，攻击者去猜测。这是不正确的，事实上，完全不相关的。正如不同的人已经指出几次，将由盐影响的攻击只能被人用密码数据库，并有人用密码数据库所做的只需看看，看看每个帐户的盐是什么。无论是猜测与否无关紧要，你可以平凡查找。

The general thought seems to be that entropy is important so that the salt will be difficult for an attacker to guess. This is incorrect and, in fact, completely irrelevant. As has been pointed out a few times by various people, attacks which will be affected by salt can only be made by someone with the password database and someone with the password database can just look to see what each account's salt is. Whether it's guessable or not doesn't matter when you can trivially look it up.

之所以熵重要的是要避免盐值的聚类。如果盐基于用户名，你知道，大多数系统将命名为根或admin的帐户，那么你可以做一个彩虹表为这两个盐，它会开裂大多数系统。如果，另一方面，使用随机的16位盐和随机值有大约均匀分布，那么你需要一个彩虹表的所有2 ^ 16个可能的盐。

The reason that entropy is important is to avoid clustering of salt values. If the salt is based on username and you know that most systems will have an account named either "root" or "admin", then you can make a rainbow table for those two salts and it will crack most systems. If, on the other hand, a random 16-bit salt is used and the random values have roughly even distribution, then you need a rainbow table for all 2^16 possible salts.

这不是$ P $从知道个人账户的盐是什么，它​​是关于不给他们将会对潜在的目标有相当比例使用单一盐的大，脂肪目标pventing攻击者。

It's not about preventing the attacker from knowing what an individual account's salt is, it's about not giving them the big, fat target of a single salt that will be used on a substantial proportion of potential targets.

这篇关于密码哈希的非随机盐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！