in reply to How to use salt with CGI::Application::Plugin::Authentication

Here’s my understanding of the purpose of “salting.”   The secret consists of three things:

  1. A fixed but unpredictable (and unknown) string which is a secret that can only be obtained by hacking into the source code of the system.
  2. A randomly generated string which is “the actual session key.”
  3. A third piece of pure-entropy, the “salt,” which is provided openly, and which may as well be without any concealment at all.

If the token that you have in your hands was formed only from the first two things, then there would be a one-to-one correspondence (details unknown to you, perhaps, but nonetheless one-to-one) between that token and the secret which it conceals.   If you could accumulate a few hundred million messages (not an unreasonable proposition), you might be able to divine the secret.   But if the secrets are “salted” using a number that also has a few hundred million possibilities, you might never wind up with the exact same token value twice, even though every one of them conceals the same secret.   You have just tossed a huge amount of entropy into what would otherwise be a deterministic (although convoluted...) calculation.

But you do have to use the idea of salt in the right way.   If the salt value is stored, all you’ve really done is to make the effective-password 32 bits longer.   You haven’t actually “salted” anything.

Replies are listed 'Best First'.
Re^2: How to use salt with CGI::Application::Plugin::Authentication
by Argel (Prior) on May 11, 2011 at 19:17 UTC
    Different passwords can result in the same MD5 hash. The purpose of the salt is to prevent users from abusing this (i.e. logging in with a different password that happens to hash to the same value). Which means the user should not know what the salt is since that makes the salt pointless. Your notion about what the salt is above (#3) is wrong. Agree with scorpio17 that normally the salt and the encrypted password are stored together. Would be interested in knowing the reason why they are separated.

    Elda Taluta; Sarks Sark; Ark Arks
[reply]
      Please see my response to Scorpio17.

      The separate salt is mostly for Admin use. It will make sure that there is not any repeated use of same salt string.
[reply]
Re^2: How to use salt with CGI::Application::Plugin::Authentication
by Anonymous Monk on May 11, 2011 at 23:33 UTC
    I was hoping to have a salt made of a *specified number* for each account. The security would be in the placement, amount/type of encryption, etc.

    If the salt is random and changing, how can the hash be verified?
[reply]

In Section Seekers of Perl Wisdom