Friday, September 11, 2015

Why should we always store salts with hashed values of passwords ?

We simply cannot store a password as it is, because that is unsafe.  If we do so, an attacker who somehow has broken into the system can access all the passwords stored in the system. So, instead, we use a cryptographic hash function to create a digest of passwords and then store it. So, even if an attacker breaks into the system, he can access the digest of passwords, not the actual ones. 

What is a cryptographic hash function ?

A cryptographic hash function is a function that takes a message as input and converts it into a digest such that:
  • It is easy to compute the digest from the original message
  • It is extremely difficult to compute the original message from the hashed message digest.
  • It is infeasible to modify a message without changing the resultant hash.
  • It is infeasible to find two message with same hashed message digest.

While no ideal hash function exists, there are quite a number of cryptographic hash functions that is good enough to solve our purpose. Some widely used well-known cryptographic hash functions are:
  • Hashed Message Authentication Code or HMAC
  • Message Digest 2 or MD2
  • Message Digest 4 or MD4
  • Message Digest 5 or MD5
  • Secure Hash Algorithm or SHA

We use these cryptographic hash functions in many places, one of the most common example is storing password. If passwords were not hashed and stored as simple texts in the server, then the passwords would have got easily compromised if someone hacks the server.

What is Rainbow Table and how is it used in hacking ?

Given the widely used well-known cryptographic hash functions, it is infeasible to compute the original message back from the hashed message digest. So, hackers sometimes use a brute force method for hacking passwords. They maintain a table in their computers which contains pair of message and its corresponding digest. Say, for upto 5 characters, they can easily compute all the possible messages and its corresponding hashed digest. They call this table 'Rainbow Table'.

When the hackers hack a server or somehow gets access to the hashed digest of passwords for example, they simply look into the digest of certain message and match it with that of one stored in the rainbow table. If it matches, then from the table itself they will come to know what the original message is.

How to prevent hacking passwords using Rainbow Table ?

We can use salt to prevent hacking passwords using Rainbow Table.

What is salt?

We can add a number of extra characters at the end of the original message and then store the hashed value. These few extra characters will change the hashed value of the message completely, and make the hackers difficult to hack the message. It is easy to construct rainbow tables upto certain characters only. These extra characters stored at the end of message are called 'salt'.

Do we use the same salt for all the passwords stored in the server?

No. If we do so, hackers may make another rainbow table for salt and hack the salt and then the passwords. Instead, we use different random salt for different users, so that it would be very difficult for hackers to hack the salt and then the password.

So, this is a very simple article about hacking and cryptographic hash functions. Do return back, if you want to read more!

No comments:

Post a Comment