Hashes, salt, and pepper

Conclusions

Hashing can organize data efficiently in memory because an access time of O(1) will, ideally, be possible. Hash functions are suitable for protecting passwords as soon as cryptographically secure hash processes with high collision resistance are used. However, an attacker can try to determine the original password from a hash value using rainbow tables. It only becomes an unrealistic amount of overhead when a salt is involved.

Infos

  1. RFC to MD5: https://tools.ietf.org/html/rfc1321
  2. How to Break MD5 and Other Hash Functions: http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf
  3. Collisions for Hash Functions: http://eprint.iacr.org/2004/199.pdf
  4. Evilize: http://www.mathstat.dal.ca/~selinger/md5collision/downloads/evilize-0.2.tar.gz
  5. A Note on the Practical Value of Single Hash Collisions for Special File Formats: http://csrc.nist.gov/groups/ST/hash/documents/Illies_NIST_05.pdf
  6. Creating a rogue CA certificate: http://www.win.tue.nl/hashclash/rogue-ca
  7. A Novel Time-Memory Trade-off Method for Password Recovery: http://dfrws.org/2009/proceedings/p114-thing.pdf
  8. Free rainbow tables: https://www.freerainbowtables.com/en/tables2
  9. Free XP rainbow tables: http://ophcrack.sourceforge.net/tables.php

The Author

Tobias Eggendorfer is a professor of IT security in Weingarten (Baden-Wuerttemberg, Germany). He also holds foundation lectures on theoretical computer science. He is also a freelance IT consultant and external data protection officer: http://www.eggendorfer.info.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Lessons: Password Storage

    High-performance graphics cards and proper storage can help keep your passwords secure.

  • Secure Online Passwords

    Securely storing passwords online can be a complex task. With a few tools, websites can offer better security, but users still need to choose their passwords wisely.

  • Security Lessons – Hash Maps

    What do all programs have in common? They store data at some point, usually in arrays – everything from commandline options to the input and output. But how is data actually stored by the program? Kurt explains.

  • Investigating Windows Systems

    A forensics expert explains how to extract interesting details from a confiscated Windows hard disk using standard Linux tools.

  • DM-Crypt

    If you’re serious about keeping secrets, try hard disk encryption with DM-Crypt and LUKS.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News