Salt Generation和开源软件 [英] Salt Generation and open source software
问题描述
我是我们计划将其作为开放源代码开发的项目,但问题在于源头是产生盐的秘密公式,因此能够在我们的网站上运行彩虹表攻击。
我认为很多人在我面前考虑过这个问题,我想知道最好的做法是什么。在我看来,如果代码是开放源码,根本就没有任何一点,因为盐可以很容易地反向设计。
想法? >
真正的盐只需要对每个条目都是唯一的。即使攻击者可以计算出盐是什么,这使得彩虹表难以创建。这是因为盐被加密到密码之前它被散列,所以它有效地添加到彩虹表必须包含的条目的总数,以具有密码字段的所有可能的值的列表。
As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code.
I'm working on a project that we plan on releasing as open source, but the problem is that with the source comes the secret formula for generating salts, and therefore the ability to run rainbow table attacks on our site.
I figure that lots of people have contemplated this problem before me, and I'm wondering what the best practice is. It seems to me that there is no point having a salt at all if the code is open source, because salts can be easily reverse-engineered.
Thoughts?
Really salts just need to be unique for each entry. Even if the attacker can calculate what the salt is, it makes the rainbow table extremely difficult to create. This is because the salt is added to the password before it is hashed, so it effectively adds to the total number of entries the rainbow table must contain to have a list of all possible values for a password field.
这篇关于Salt Generation和开源软件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
