密码盐如何帮助抵御彩虹表攻击? - How does password salt help against a rainbow table attack?

10/14 11:41
阅读数 0

问题:

I'm having some trouble understanding the purpose of a salt to a password.我在理解将盐添加到密码的目的时遇到了一些麻烦。 It's my understanding that the primary use is to hamper a rainbow table attack.据我了解,主要用途是阻止彩虹表攻击。 However, the methods I've seen to implement this don't seem to really make the problem harder.然而,我所看到的实现这一点的方法似乎并没有真正使问题变得更难。

I've seen many tutorials suggesting that the salt be used as the following:我已经看到很多教程建议将盐用作以下内容:

$hash =  md5($salt.$password)

The reasoning being that the hash now maps not to the original password, but a combination of the password and the salt.原因是散列现在不是映射到原始密码,而是映射到密码和盐的组合。 But say $salt=foo and $password=bar and $hash=3858f62230ac3c915f300c664312c63f .但是说$salt=foo$password=bar$hash=3858f62230ac3c915f300c664312c63f Now somebody with a rainbow table could reverse the hash and come up with the input "foobar".现在有彩虹表的人可以反转散列并提出输入“foobar”。 They could then try all combinations of passwords (f, fo, foo, ... oobar, obar, bar, ar, ar).然后他们可以尝试所有密码组合(f、fo、foo、...oobar、obar、bar、ar、ar)。 It might take a few more milliseconds to get the password, but not much else.获取密码可能需要几毫秒的时间,但其他时间不会太长。

The other use I've seen is on my linux system.我见过的另一个用途是在我的 linux 系统上。 In the /etc/shadow the hashed passwords are actually stored with the salt.在 /etc/shadow 中,散列密码实际上盐一起存储。 For example, a salt of "foo" and password of "bar" would hash to this: $1$foo$te5SBM.7C25fFDu6bIRbX1 .例如,“foo”的盐和“bar”的密码将散列为: $1$foo$te5SBM.7C25fFDu6bIRbX1 If a hacker somehow were able to get his hands on this file, I don't see what purpose the salt serves, since the reverse hash of te5SBM.7C25fFDu6bIRbX is known to contain "foo".如果黑客以某种方式能够获得这个文件,我看不出盐的作用是什么,因为已知te5SBM.7C25fFDu6bIRbX的反向散列包含“foo”。

Thanks for any light anybody can shed on this.感谢任何人都可以对此有所了解。

EDIT : Thanks for the help.编辑:感谢您的帮助。 To summarize what I understand, the salt makes the hashed password more complex, thus making it much less likely to exist in a precomputed rainbow table.总结一下我的理解,salt 使散列密码更复杂,因此它不太可能存在于预先计算的彩虹表中。 What I misunderstood before was that I was assuming a rainbow table existed for ALL hashes.我之前误解的是我假设所有哈希都存在彩虹表。


解决方案:

参考一: https://en.stackoom.com/question/1lTn
参考二: https://stackoom.com/question/1lTn
展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部