Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the difference between hash salting and noncing?

I have read up on these two topics, and I can't seem to quite grasp the difference between salting and noncing hashes.

like image 537
Ryan Ward Avatar asked Nov 17 '11 20:11

Ryan Ward


People also ask

What is the difference between hash and salt?

Hashing is a one-way process that converts a password to ciphertext using hash algorithms. A hashed password cannot be decrypted, but a hacker can try to reverse engineer it. Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password.

What does salting a hash mean?

Salting hashes sounds like one of the steps of a hash browns recipe, but in cryptography, the expression refers to adding random data to the input of a hash function to guarantee a unique output, the hash, even when the inputs are the same.

What are salted hash example?

What is a Salt? A salt is a random character string that is added to the beginning or the end of a password. This salt is unique to each user, and is stored in the database along with the username and salted-hashed password. An example username-password database using the SHA256 hashing function with a salt.

Do you salt before or after hash?

hash(password + salt). If you concatenate the salt after the hashing, the concatenation is easily reversible and doesn't add any difficulty in reversing the hash on the password (with rainbow tables). That said, some systems do both, e.g. Django stores salt$hash(salt+password) in database.


3 Answers

A salt is a non-secret, random value that's used to ensure that the same plaintext will not consistently hash to the same output value; it's used to prevent precomputation attacks such as Rainbow Tables.

A nonce ("number used once") is a - typically randomly generated - value that's associated with a message in a cryptographic scheme, and must be unique within some specified scope (such as a given time interval, or a session). It's typically used to prevent replay attacks.

Nonces and salts are similar and serve related purposes, but aren't identical. Both are typically randomly generated, not secret, and serve to prevent attacks that would otherwise be possible against the system. They differ mainly in the context in which they're used, and in the consequences of repeats - a duplicate salt is unimportant, but a duplicate nonce can have dire consequences.

like image 58
Nick Johnson Avatar answered Sep 28 '22 05:09

Nick Johnson


nonce = number used once. If you generate a unique salt for each bit of data you're hashing, then it's essentially a nonce as well.

like image 29
Marc B Avatar answered Sep 28 '22 05:09

Marc B


Hashing is one way process unlike Encryption(using a key we can decrypt). Fixed size and Slight changes in data produces entirely new hash value. It is like finger print. Example: MD5,MD6,SHA-1,SHA-2 and so on..


Storing password in database with hash format also not safe by Rainbow tables, Dictionary attacks and Brute force(GPUs can compute billions of hashes per second). To avoid these issue we need to use Salt.

A Salt(random number) is used so that the same password does not always generate the same key. i.e. A salt is simply added to make a common password uncommon.

A Salt is something we add to our hash to prevent rainbow attacks using rainbow tables which are basically just huge lookup tables that convert hashes to passwords as follows:

dffsa32fddf23safd -> passwordscrete 
f32ksd4343fdsafsj -> stackoverflow

So hacker can find this rainbow table, to avoid this problem we have to store hash with the combination of password and salt.

hash= hashFunction(passowrd+salt)

A Nonce (Number used only once) does not need to be secret or random, but it must not be reused with the same key. This is used to prevent replay attacks (aka playback attack).

hashing-vs-encryption

like image 32
Premraj Avatar answered Sep 25 '22 05:09

Premraj