Re: Hash salt (was Re: BCRYPT - Why not using it?)
Aaron Toponce:
> For example, say you have the hash 633427ee13ba83a92778c91a795d444564b9214c
> (which actually isn't the encoded format as shown in /etc/shadow, but it
> will illustrate the point). You don't know what salt was used to create
> that hash. It's 160 bits, so it could be SHA1. Assuming such, [...]
Of course, everything gets easier once you invoke Kerckhoff's
principle. This will give you both the algorithm and the salt, as the
only thing secret should be the password. :) Seriously though, all of
this information is likely found in the documentation in this case, or
in worst case in the source code. (Or in the leaked implementation in
the proprietary scenario.)
> In this case, the password was 'foo' and the salt was 'salt':
>
> $ echo foosalt | sha1sum
> 633427ee13ba83a92778c91a795d444564b9214c -
In this particular scheme, it appears ('foo','salt') has the same hash
as ('foosalt',''). In a serious application, hopefully the wheel
wouldn't be reinvented in this way, but some well-studied, thoroughly
scrutinized approach would be used. :) But as a toy example it works,
sure!
Take care,
Martin
Reply to: