如何在分布式环境中储存盐 [英] How store salt in distributed environment

问题描述

我不知道如何在我的场景中使用盐概念。

I dont know how to use the "salt concept" in my scenario.

假设我有一个客户端桌面应用程序加密特定用户的数据并将其发送到一个远程服务器。客户端应用程序使用PKCS＃5生成一个带有用户密码和SALT密钥的密钥。远程桌面不能与用户的密码联系。

Suppose I have a client desktop application that encrypts data for specific users and send it to a remote server. The client application generate a key with PKCS#5, with the user's password and a SALT. The remote desktop must NEVER be in contact with the user's password.

假设我们为加密生成随机盐。客户端应用程序可以加密数据，并将其发送到远程服务器。如果用户尝试在另一台计算机上访问他的数据，那么如何解密它，因为盐是未知的？

Suppose we generate a random salt for an encryption. The client application can encrypt the data, and sent it to the remote server. If the user try to access his data on another computer, how will it be able to decrypt it since the salt is unknown?

我认为使用相同的盐时间（在应用程序中硬编码）不是一个好主意（安全性通过混淆是坏的）。

I think that using the same salt all the time (hardcoded in the application) is not a good idea (security by obfuscation is bad).

我如何解决我的问题？

推荐答案

盐与加密数据一起存储。

The salt is stored unencrypted along with the encrypted data.

盐的目的是防止攻击者预先计算加密密码字典。 （如，攻击者花费一年或任何语言生成每个单词的加密形式）。

The purpose of a salt is to prevent an attacker from precomputing a dictionary of encrypted passwords. (As in, the attacker spends a year or whatever generating the encrypted form of every word in every language.)

盐的另一个目的是确保两个即使他们的未加密密码相同，用户也会有不同的加密密码。

The other purpose of a salt is to make sure that two users will have different encrypted passwords even if their unencrypted passwords are the same.

目的不要求盐保密。

[更新，详细说明]

[update, to elaborate]

请参阅盐（密码学）的维基百科条目。特别是，请阅读介绍性段落。

See the Wikipedia entry for Salt (cryptography). In particular, read the introductory paragraphs.

盐的目的是采取非随机输入（例如，用户提供的数据），并在传递之前使其随机它通过加密功能。为了使这个工作，盐必须为每个输入随机生成。

The purpose of a salt is to take a non-random input (e.g., user-provided data) and make it random before passing it through a cryptographic function. For this to work, the salt must be randomly generated for each input.

传统的例子是存储加密的密码。大多数用户可靠地选择非随机密码，所以没有盐，所有选择SEKRIT作为密码的人都将在密码DB中使用相同的加密密码。解决方案是在加密密码之前添加一个随机盐，然后将其加密密码（以明文形式）。

The traditional example is storing encrypted passwords. Most users reliably choose non-random passwords, so without a salt, everyone who chooses "SEKRIT" as a password will wind up with the same encrypted password in the password DB. The solution is to add a random salt before encrypting the password, and then to store it (in plaintext) along with the encrypted password.

这篇关于如何在分布式环境中储存盐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！