盐的目的是什么? [英] What is the purpose of salt?
问题描述
在Linux系统中,密码是使用MD5哈希存储的.为什么使用盐"可以更多地保护系统?特别是,我想说明以下两个
In a Linux system, passwords are stored using an MD5 hash. Why can the usage of "salt" protect the system more? Particularly, I want to make clear the following two
- 据说盐被储存在
用哈希清除文本,然后如何
它可以防止攻击者在
攻击者知道盐值.
(攻击者可以是系统
管理员本人可以检查
/etc/shadow. - 如果盐是随机产生的 每次,系统如何 比较散列以验证 用户?
- The salt is said to be stored in
clear text with the hash, then how
it can prevent the attacker when the
attacker knows the salt value.
(Attacker can be the system
administrator himself who can check
/etc/shadow. - If the salt is generated randomly everytime, how can the system compare the hash to authenticate the user?
例如,用户A拥有用户salt s1并生成h1; h1 = md5(password.s1);.
下次,它使用salt s2,并且系统必须生成不同的哈希值h2 = md5(password.s2).由于h1不等于h2,系统如何验证用户身份?
For example, User A has user salt s1 and generate h1; h1 = md5(password.s1);.
The next time, it uses salt s2 and the system must generate a different hash, h2 = md5(password.s2). Since h1 is not equal to h2, how can the system authenticate the user?
推荐答案
MD5是您所知道的哈希,因此,如果您给它一个输入(如"PASSWORD"),则会得到唯一的(希望-但是MD5会与这些碰撞天)输出,例如"3DE2AF ...".
MD5 is a hash as you know, so if you give it an input, like 'PASSWORD', you get a unique (hopefully - however MD5 has collisions these days) output, like '3DE2AF...'.
现在,正如您所知,很难直接将其反转,直到有人想到...等等,为什么我不预生成所有可能的可哈希值组合,直到可以反转哈希值.这称为彩虹表.
Now, as you know, it's quite hard to directly reverse that, until somebody thought... wait, why don't I pre-generate all the possible combinations of hashable values until I can reverse the hash. This is called a rainbow table.
加盐的目的是将任意随机数据添加到要进行哈希处理的字符串中,从而增加哈希输入的长度.这意味着希望仅将密码输入反向转换为哈希的常规彩虹表将无法正常工作.当然,彩虹表只是反向查找,您可以简单地生成一个彩虹表来补偿所有可能的密码+盐输出.这就是长度增加的原因.由于具有反向散列的性质,因此在很长的哈希输入中生成反向的磁盘空间很快变得不可行. 6到8个字符的字母数字彩虹表已经是几GB.增加长度和字符类,然后开始以10GB的倍数进行通话.
The purpose of a salt is to add arbitrary random data to the string being hashed, such that you increase the length of input to hash. This means general rainbow tables that expect to reverse just a password input to a hash won't work. Of course, rainbow tables being just reverse lookups, you could simply generate a rainbow table to compensate for all the possible password+salt outputs. This is where the increase in length comes into its own; because of the nature of reversing hashes, the disk space to generate reverses for very long hash inputs soon becomes infeasible. Alphanumeric rainbow tables for 6-8 characters are already a couple of Gigabytes; increase the length and character classes and you start to talk in multiples of 10GB.
当然,如果您要对"PASSWORD"加盐,并且对"PASSWORD"进行散列,那么就对"PASSWORDPASSWORD"进行散列,这并没有那么安全,因此盐的选择也很重要.理想情况下,您应该对每个散列字符串使用随机盐,但是,当然,您需要知道它是什么.一种常见的技术是从用户名或这种情况下独有的其他属性派生出salt.添加任意数据本身就没有用;现在,拥有用户确定的盐数据会增加额外的复杂性,这意味着需要彩虹表才能对每个用户进行专门搜索.您越难以解决,就需要更多的计算能力.那是战斗所在.
Of course, if you're salting with 'PASSWORD' and you hash 'PASSWORD' you're hashing 'PASSWORDPASSWORD' which isn't that much more secure, so the choice of salt is important too. Ideally, you should use a random salt with each hashed string, but of course, you need to know what it is. A common technique is to derive a salt from the username or some other property unique to this case. Adding arbitrary data isn't in itself useful; having user-determined salt data now adds an additional level of complexity, meaning rainbow tables are needed with specialised searches for each user. The more you make this difficult, the more computational power is needed. That's where the battle is.
但是,有一些现代技术.我不是专家,所以我不能告诉您这些工具的安全性,但是值得一提.这个概念是慢散列.基本上,通过复合哈希函数,您需要花费一些时间来计算每个哈希.这样,每个用户检查密码的能力现在为您要检查的每个密码增加了固定的时间量.如果您是蛮横的,那就是坏消息(tm).同样,如果系统设计良好,如果没有快捷方式(可能等同于弱点),则为慢速哈希函数生成彩虹表也将花费一些时间.
However, there are some modern techniques. I am not an expert, so I can't tell you how secure these are, but they are worth a mention. The concept is slow hashing. Basically, through compound hash functions you make it take a while to compute each hash. As such, the ability for each user to check the password now has a constant amount of time added for each password you wish to check. If you're bruteforcing, that is Bad News(tm). Similarly, if the system is well designed, if there are no shortcuts (which probably equate to weaknesses) then generating a rainbow table for a slow hash function should also take a while.
编辑更多详细信息.有关第一个示例,请参见 crypt() . @CodeInChaos 引用了 PKCS#5 的一部分一个>.较新的开发是 scrypt .
Edit more detail here. See crypt() for the first example of this. @CodeInChaos has referenced PBKDF2 which forms part of PKCS#5. A newer development is scrypt.
正如我所说,我不是密码专家.在后一个示例中,我对它的适用性没有特别的专业知识,我只是向您展示事情的发展方向.
As I say, I'm not an expert cryptanalyst. On the latter example, I have no particular specialist knowledge as to its suitability, I'm merely showing you where things are headed.
编辑2 阐明了我对盐的描述-我想我以前是在磁盘空间的关键问题上跳舞的.
Edit 2 Clarified my write up of salt - I think I danced around the key issue of disk space before.
这篇关于盐的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
