Results 1 to 5 of 5

Thread: How much salt and pepper

  1. #1
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    856
    Thanks
    45
    Thanked 104 Times in 82 Posts

    How much salt and pepper

    i was wondering if there was some kind of rule-of thumb for the bitrate ratio between encryption key and the amount of salt to add for the password before generation the key.

    lets say I?m making archieves with 128bit AES encryption. i'm using the same password on each archive how much salt should the program add to my password.

  2. #2
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    3,134
    Thanks
    179
    Thanked 921 Times in 469 Posts
    salt is used to avoid computation sharing for different passwords.
    So salt size depends on an amount of passwords that could be
    simultaneously available to a hacker.
    That is, commonly even 12-16 bits would be enough

  3. #3
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    856
    Thanks
    45
    Thanked 104 Times in 82 Posts
    when we increase the bit of the encryption key, we do it to make it take more tries to "guees" the right key.

    The same thing applies for salting and rainbow tables.
    by applying salt. The hacker need to make more tries (make a bigger rainbow table)


    as performance increase. we advice to use bigger and bigger keys because it take shorter time to guess and to have the same security (time of guessing)

    Since the same applies to generating rainbow table. we should also get bigger and bigger salt as its get easier and faster the overcome the salting.


    I know i moved away from my first example.

    but somehow we over time need to increase encryption keys as well as salting.

    So whats a god rule of thumb to still have the same " level of security"


    today we use 128bit -> 256bits encryption and consider it safe
    and if today we use 12 -> 16 bit salting.


    in 50 years we might be using 512bit encryption keys.
    shouldn't we ass well increase the salting length?
    Last edited by SvenBent; 30th December 2008 at 18:41.

  4. #4
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    3,134
    Thanks
    179
    Thanked 921 Times in 469 Posts
    Salt doesn't directly affect the key enumeration speed when we're cracking a single case.
    But without salt, standard encryption algorithms allow for cracking of multiple cases
    at nearly the same time as for a single case.
    That's why salt is necessary.
    And salt length should be determined by a desired probability of salt coincidence.
    Which depends on an estimated number of cases similtaneously available
    for cracking.
    As to RT, the same thing also applies. In fact, I never heard of
    existing RTs even for DES password hashes, which only have 12 bits of salt.

  5. #5
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    856
    Thanks
    45
    Thanked 104 Times in 82 Posts
    But if the salt is... lets say only 2 bits


    Then the hacker only need to make 4times as big a rainbow tabel to go from one hacked file to having access til alle files (with the samme pasword)

    with the non salted enceryption key i might look it up in my table off allready hashedd password and find the user password.

    if the salt it only 2 bits the table woulde increase to 4 times the size. because i need one for every kind of salt kombination.

    that way i need 4 times the ressources.

    if the salt is 32 bit i woulde need 4 millions time the size of my table with password and hashes.
    Last edited by SvenBent; 31st December 2008 at 14:29.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •