23

Alright, so im trying to learn a little about Encrypting messages in my java application. I just found out that SALT and KEY aren't the same.

Can someone help me understand what the difference between the two is?

Zak
  • 2,688
  • 4
  • 29
  • 45
cody
  • 425
  • 2
  • 5
  • 8
  • 2
    You wouldn't generally use salt when encrypting a message that you intend to decrypt later. It is more for when you are hashing something like a user's password. The salt is basically just random "noise" that you add to the key in order to make the resulting hash more secure. – aroth Sep 05 '11 at 01:53

2 Answers2

28

The key is, crudely, the equivalent of a password; you use it to encrypt a message, and then the same key gets used to decrypt it back to the original plaintext. (Well, it gets a little more complex, once you have public and private keys, and so on.)

A salt is most typically encountered with cryptographic hash functions, not encryption functions. The idea is that rather than hashing just your data (e.g. a password), you hash data+salt, where salt is typically a randomly-generated string. They have (at least) two purposes:

  • To foil an attacker who has access to the hashed data from identifying a collision using a rainbow table.
  • To slow down an attacker who's trying a brute-force attack.
Oliver Charlesworth
  • 267,707
  • 33
  • 569
  • 680
  • ahh ok i get it now, thank you very much. Basically a key is used for encrypting and decrypting while a salt is used together with the hashing to make it even more secure. Thank you very much :) – cody Sep 05 '11 at 01:58
  • 4
    One important difference is that a salt still fulfills most of its purposes if it is known to the attacker. – CodesInChaos Sep 05 '11 at 02:25
  • But if an attacker gets acces to the salt, it pretty much is a key to him no? He can unhash it back. – Mojimi Sep 22 '17 at 03:45
  • 1
    @mojimi - bear in mind that for a good hash algorithm, "unhash" really means some variant of brute-forcing search for collisions. – Oliver Charlesworth Sep 22 '17 at 06:48
4

The key is essentially the password with which you lock the original content.

To make the password more difficult to reverse engineer, you can add a salt to the produced encryption.

To give an obviously simple example, lets say you want to encrypt a character string. Your encryption routine is to reverse the word. So, for the string "Hello, World", after running encryption, your string would be "dlroW ,olleH". You could then add a salt to it. In this example, the salt will be "foo", so the result after salting would be "dlroW ,olleHfoo". Now, if someone managed to reverse engineer your encryption algorithm, they'd get "oofHello World", which is not the original message, and thus your information is still safe!

This really comes into use when you iteratively encrypt, eg,
result = salt + encrypt(salt+encrypt(salt+encrypt(message))).

Jordaan Mylonas
  • 1,261
  • 1
  • 11
  • 24