了解身份验证中盐的目的 [英] Understanding the purpose of a salt in authentication

问题描述

根据我的研究，盐的目的是打败彩虹桌的使用.这样做是因为只创建了彩虹表来查找唯一密码(不加盐)的哈希值.我在理解引入盐后如何不能使用彩虹表时遇到了冲突.假设我们有以下情形:

Based on my research the purpose of a salt is to defeat the use of a rainbow table. This is done because rainbow tables are only created to look up hashes of a sole password(without a salt). I am having a conflict understanding how we can't use rainbow tables in when salts are introduced. Suppose we have the following scenario:

我是一个恶意黑客，我想访问一个富人的银行帐户.我能够访问银行的数据库，该数据库具有salt和哈希字符串(在可见的情况下)，这是用户密码和salt(f(password + salt))的函数.盐是 fsd88 .接下来，我从网络上的一些黑客那里获得了一张彩虹桌.太好了，所以我都准备致富并搬到瑞士.

I am a malicious hacker and I want to gain access to a rich person's bank account. I am able to gain access to the bank's database which has the salt and the hashed string in plain sight, which is a function of the user's password and salt (f(password + salt)). The salt is fsd88. Next I get a rainbow table from some hacker on the web. Great, so I am all ready to become rich and move to Switzerland.

下一步，我将使用哈希字符串，然后在Rainbow表上查找(根据在线教程，这大约需要一个小时的时间).查找彩虹表，然后返回passwfsd88.因为我知道盐是fsd88.我现在知道密码是什么！是密码！

What I do next is I take the the hashed string and look it up on the rainbow table (according to a tutorial online this takes about an hour to do). The rainbow table look up then returns passwfsd88. Since I know the salt is fsd88. I now know what the password is! It's passw!

我的盐心理模型出了什么问题?感谢您的阅读.

What is wrong with my mental model of a salt? Thanks for reading.

推荐答案

在计算哈希值之前先添加盐:

The salt is added before the hash is calculated:

$password = 'secret';
$salt = 'kU832hNWQ2122093uiue';
$passwordHash = hash($password + $salt);

在此示例中，未计算密码'secret'的哈希，而是它是'secretkU832hNWQ2122093uiue'的哈希.没人会用这种密码创建一个RainbowTable，如果您找到一个预先计算的Rainbow表，它将包含'secret' 的哈希值.

In this example not the hash of password 'secret' was calculated, instead it is the hash of 'secretkU832hNWQ2122093uiue'. Nobody will ever create a rainbowtable with such passwords, if you find a precalculated rainbow-table it would contain the hash of 'secret'.

当然，您可以使用此盐建立带有可能密码列表的彩虹表(盐不是秘密)，但是如果每个密码都有其唯一的盐，那么您将必须为每个密码建立彩虹表分别地.这意味着，salt阻止使用单个彩虹表立即获取所有密码.

Of course you can build a rainbow-table with a list of possible passwords with this salt (the salt is not secret), but if each password got its unique salt, then you would have to build rainbow-tables for each password separately. That means, the salt prevents to use a single rainbow-table to get all passwords at once.

很高兴知道我现在很有钱，来自瑞士的问候:-)

Good to know that i'm rich now, regards from switzerland :-)

这篇关于了解身份验证中盐的目的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！