Code

Changes between Initial Version and Version 1 of Ticket #16285, comment 2


Ignore:
Timestamp:
06/23/11 20:59:59 (3 years ago)
Author:
PaulM
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #16285, comment 2

    initial v1  
    33The "salt" here is going into a pre-seed for the salted-hmac module. That module already has other key material (the secret key) to prevent an attacker from forging the signature. Generally, salt is used to prevent pre-computed lookup table attacks, and is stored alongside the hashed material (and the plaintext is not stored at all). Salt is not meant to be kept more secret than the resulting hash. 
    44 
    5 In the signing module, we're using it differently. Since we expect the plaintext to be known to the attacker (this is why we're signing it, after all, to prove to ourselves that it hasn't been tampered with), using a salt to prevent rainbow table type attacks is pointless. We don't care that the attacker knows which plaintext hashes to which signature, since we provide both of those. What we do care about is that the secret key stay secret, since that's what prevents the attacker from generating their own signatures. Adding a salt doesn't change this property, since the attacker still has everything necessary to produce a signature except the secret key. 
     5In the signing module, we're using it differently. Since we expect the plaintext to be known to the attacker (this is why we're signing it, after all, to prove to ourselves that it hasn't been tampered with), using a salt to prevent rainbow table type attacks is pointless. We don't care that the attacker knows which plaintext hashes to which signature, since we provide both of those. What we do care about is that the secret key stay secret, since that's what prevents the attacker from generating their own signatures. Adding a salt doesn't change this property, since the attacker still has everything necessary to produce a signature except the secret key. Adding a salt produces a varying signature for the same input value, but this doesn't gain us any security, since all the previous salted signatures are also still valid, and the attacker knows the plaintext. 
    66 
    77Using a random salt in this field makes your application less secure than using a single string for namespacing, since it allows a user to transfer a signature from one area of your program to another.