Linked by Thom Holwerda on Mon 4th Jul 2011 21:43 UTC
Apple So, Anonymous, under the guise of its AntiSec campaign, has hacked an Apple server, got access to 27 administrator usernames and passwords, and put them on Pastebin. Is it time to panic? Is it time to point and laugh at Apple? Is it time to stop using iTunes? Not really - this is a small hack that will cause little to no damage.
Thread beginning with comment 479634
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[7]: SHA1 hashed
by Alfman on Tue 5th Jul 2011 22:38 UTC in reply to "RE[6]: SHA1 hashed"
Alfman
Member since:
2011-01-28

Soulbender,

"False. Salting significantly increases the time and complexity of creating the tables. See below.
If it didnt add anything significant it wouldn't be recommended practice."

That's not precisely what I said, I asked specifically about forward hashing complexity. I did edit my post by adding "time" in parens, but I guess it was too late.


I'd like to enter into evidence the following PHP example (apologize in advance for formatting bugs):

function NullHash($password, $salt) {
return $salt.$password.$salt;
}
function Unsalted($password, $salt) {
return hash('sha256', $password);
}
function SimpleSalt($password, $salt) {
return hash('sha256', $salt.$password.$salt);
}

function HMACSalt($password, $salt) {
return hash_hmac('sha256', $password, $salt);
}


function RunTest($function, $name) {
$password = 'superbadass';
$salt = 'kk222929';
$time = microtime(true);
for($i=0; $i<1000000; $i++) {
$function($password, $salt);
}
$time = microtime(true) - $time;

printf(" %10s %10.3s\n",$name,$time);
}

for($trial=0; $trial<3; $trial++) {
print "\nTrial $trial\n";
RunTest(NullHash, 'NullHash');
RunTest(Unsalted, 'Unsalted');
RunTest(SimpleSalt, 'SimpleSalt');
RunTest(HMACSalt, 'HMACSalt');
}




The output for me is as follows:

Trial 2
NullHash 0.7
Unsalted 1.9
SimpleSalt 2.1
HMACSalt 4.4


Now, PHP is a terrible choice for doing this sort of benchmark due to high string overhead. But the prototype was quick and I believe my point stands.

The unsalted and simple salt algorithms have nearly the same forward hashing performance. The HMAC algorithm (which calls the sha hash twice under the hood) is slower by roughly a factor of two.

This shows that forward hashing is not significantly affected by adding salt. If you buy all this, then the answer to my second assertion is true.



"True but you would need one rainbow table for each possible salt. The longer the salt, the more tables needed. This is why salting defeats rainbow tables in practice."

I wasn't really talking about "rainbow tables" specifically, I was talking about indexes like the one in the link I provided.

A rainbow table discards information in a time/space tradeoff and is therefor a subset of a more complete index. Whether or not they are effected by salt probably depends on the salting algorithm and the way in which the rainbow tables are generated. But this does not affect a dictionary permutation attack.

Reply Parent Score: 2