[colug-432] Hash and salt, where does the salt go ?

Tom Hanlon tom at functionalmedia.com
Mon Jan 6 17:43:22 EST 2014 

Tim,

Thanks

The vague answer was good enough, but thanks for being thorough.

So the app stores the salt in a safe place, more or less to summarize?

And in the case of /etc/shadow it is stored there.

In the case of me building an app from scratch, I generate a random salt
and store.



On Mon, Jan 6, 2014 at 5:19 PM, Tim Randles <tim.randles at gmail.com> wrote:

> Sorry, that was suitably vague.  Example:
>
> root:$1$12192013$blahblahblahblahblahbl:.....
>
> username:$<hash algo, 1 is MD5>$<salt>$<hashed password>:.....
>
>
> On Mon, Jan 6, 2014 at 3:17 PM, Tim Randles <tim.randles at gmail.com> wrote:
>
>> The salt is the second field ($-delimited) in /etc/shadow.
>>
>>
>> On Mon, Jan 6, 2014 at 3:08 PM, Tom Hanlon <tom at functionalmedia.com>wrote:
>>
>>> Colug,
>>>
>>> Just catching up on MD5 SHA1 and associated collision issues.
>>>
>>> Along the way I came across the wikipedia article on salt.
>>>
>>> http://en.wikipedia.org/wiki/Salt_%28cryptography%29
>>>
>>> I thought I understood the add salt and then hash process.
>>>
>>> But then I thought again, it has been a long time since I had to talk
>>> about Bob alice and Ted trying to share secrets. So I need a refresher.
>>>
>>> If Alice has a password after her cat, fluffy.
>>>
>>> And we go to store that password we would hash it.
>>>
>>> Before we hash it we add some salt ( now I am getting hungry for some
>>> salted hash)
>>>
>>> So fluffy = > salt+fluffy =>hash => password file
>>>
>>> Then when alice goes to login she types
>>>
>>> fluffy => we add salt => salt+fluffy => hash
>>>
>>> if hash == password file then she can access her bank account, if not
>>> she has to tall use her Mom's maiden name and her high school mascot.
>>>
>>> So the question I have is..
>>> The article describes the salt as randomly generated when the password
>>> is created.
>>>
>>> Where do we store it ?
>>>
>>> Obviously her newly generated Salt has to be kept on the authenticator's
>>> tool in some fashion.
>>>
>>> Did I just ask a question or propose a meeting topic ? Or both ?
>>>
>>> Anyhow..
>>>
>>> where is the salt ??
>>>
>>> ** note that although I added some humor (I hope) here and there, I am
>>> serious. Where is the salt lookup table stored ?
>>>
>>> --
>>> Tom
>>>
>>> _______________________________________________
>>> colug-432 mailing list
>>> colug-432 at colug.net
>>> http://lists.colug.net/mailman/listinfo/colug-432
>>>
>>>
>>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20140106/6cbce293/attachment-0001.html

More information about the colug-432 mailing list