Sign in to follow this  
CandleJack

Multiple Salt Hash Based Key Strengthening

Recommended Posts

CandleJack    234
A while back, my mind was wandering and an idea popped into my head for a secure login system that didn't need to use SSL. The idea I had was to hash the user's password clientside, send it to the server and hash it again. This way the password would not be sent along in plain text, and thus prone to interception. After researching the topic a bit, I know now that this idea is rendered useless by a rainbow table, and a salt would not be able to prevent this as the salt would have to be stored client side and thus it would be relatively simple for an attacker to find it out. While that idea was a failure, it did lead me to the idea of hashing a key multiple times for added security. I looked into this and found out that it is a practice which is already in existence, called Hash Based Key Strengthening In the pseudo-code example they list in the article I linked above, they demonstrate key strengthening using a salt:
key = hash( password + salt )
for 1 to 65000 do
  key = hash( key + salt )
My question I guess is rather than using just one salt, would using a table of salts make this more secure? It seems intuitive that it would be more secure, since even if an attacker was able to brute force one of the salt values there would still be a lot more that would also need to be guessed along with it. I mean, even if there were say 50 salt values, they could brute force the first one correctly, but they wouldn't have any way to confirm that it was correct without also getting the other 49 correct along with it, right? For example:
key = hash( password + salt[0] )
for i = 1 to 65000 do
  key = hash( key + salt[i] )
Or would this simply be impractical from a memory usage standpoint?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this