Salted hash tables defeat Rainbow Tables

Rainbow Tables are an attack to identify messages, usually key-material, that have been hashed. Long term, rainbow tables break hashes by destroying their efficacy.

At this time [Jan 2014], most people regard MD5 as broken, and Microsoft is moving to update usage practices from (unbroken) SHA1 to newer algorithms in 2015.

It is best practice to store hash values instead of passwords, on authentication databases. Currently, Target Corp. is in the news as an example of the problems that derive from such a breach of security. The data lost is not the same as the derived password list. It is more serious.

A simple expedient, to extend the life of a given hash, is to salt the hash in implementation, when keeping a hash table in a database.

For example, using a proprietary salt value, concatenate it to the (password and subsequent) results during repeated hashing. Another way, would be to XOR the salt with the value under repeated hashing.

Consider the problem from the perspective of using a pre-computed hash table. The attacker deterministically produces an incorrect password. But if the salt is selected from a reasonably large key-space, it is computationally expensive to build a suitable substitute, and the resulting table(s) would be useful only against that particular database, such that diversity of use would discourage individual efforts.

Advertisements

About James Johnson

I am an amateur mathematician & political theorist who enjoys (occasionally cerebral) humor.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s