• Advertisement
Sign in to follow this  

Multiple Salt Hash Based Key Strengthening

This topic is 2930 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

A while back, my mind was wandering and an idea popped into my head for a secure login system that didn't need to use SSL. The idea I had was to hash the user's password clientside, send it to the server and hash it again. This way the password would not be sent along in plain text, and thus prone to interception. After researching the topic a bit, I know now that this idea is rendered useless by a rainbow table, and a salt would not be able to prevent this as the salt would have to be stored client side and thus it would be relatively simple for an attacker to find it out. While that idea was a failure, it did lead me to the idea of hashing a key multiple times for added security. I looked into this and found out that it is a practice which is already in existence, called Hash Based Key Strengthening In the pseudo-code example they list in the article I linked above, they demonstrate key strengthening using a salt:
key = hash( password + salt )
for 1 to 65000 do
  key = hash( key + salt )
My question I guess is rather than using just one salt, would using a table of salts make this more secure? It seems intuitive that it would be more secure, since even if an attacker was able to brute force one of the salt values there would still be a lot more that would also need to be guessed along with it. I mean, even if there were say 50 salt values, they could brute force the first one correctly, but they wouldn't have any way to confirm that it was correct without also getting the other 49 correct along with it, right? For example:
key = hash( password + salt[0] )
for i = 1 to 65000 do
  key = hash( key + salt )
Or would this simply be impractical from a memory usage standpoint?

Share this post


Link to post
Share on other sites
Advertisement
Sign in to follow this  

  • Advertisement