0

In the official documentation of the PKCS5 V2.0 standard, we can read "The salt can be viewed as an index into a large set of keys derived from the password, and need not be kept secret."

The part "need not be kept secret" is interesting.

Since the salt is used to add a huge range of password possibilities (or to create two different keys if two users had the same password), what is the purpose of letting the salt insecure?

I understand that typically, an attacker wont have access to the salt, so it will complicates his job to find the right password. But if an attacker knows the salt, where is the "magic"? Knowing the salt is like perform a traditional dictionary attack (if we exclude the iteration count)!

Is there something that I dont understand? I know that knowing the salt dont break the security but, saying that it "need not be kept secret" sounds strange to me.

Normand Bedard
  • 2,625
  • 2
  • 19
  • 22

1 Answers1

0

The rest of the paragraph (in the standard) seems to explain it:

... Although it may be possible for an opponent to construct a table of possible passwords (a so-called “dictionary attack”), constructing a table of possible keys will be difficult, since there will be many possible keys for each password. An opponent will thus be limited to searching through passwords separately for each salt.

The point is that you can't just take a list of passwords (let's say 77 million passwords) and run them through the same tables. You will need to build a separate table for each password + salt.

Omri Barel
  • 9,182
  • 3
  • 29
  • 22
  • Yeah I know. But if I am in possession of the salt, I "just need" to do try all password with the known salt. So we return back to a initial brute force attack since we can append the known salt to every password possibilities. – Normand Bedard May 30 '11 at 14:13
  • I think the point is that "trying all the passwords" is not a usual attack: have a look at section 4.2, each password requires at least 1000 iterations, so that limits the search space - if it takes a second to try each password, you can't just try one million possible passwords. – Omri Barel May 30 '11 at 14:38