Can you pass me the salt?
22 Nov 2016But before you do, let’s talk about rainbow tables.
…but before we do that, let’s talk about hash functions.
First, hash functions take an input and produce a certain output. One of the
properties of cryptographically secure hash functions is that given a hash,
it is difficult to obtain what input was given to produce that output. EDIT:
hash functions are one way, so given a hash, it is impossible to obtain the
original data, regardless if it is cryptographically secure or not. For
simplicities sake, given a hash, ask yourself, “Can we tell ANYTHING about the
input based on this output?” Anything could include properties, patterns, etc.
If the hash is cryptographically secure, the answer to that question is “NO”. If
it is not, the answer would be a solid “Maybe”.
A rainbow table is a tool one can use to obtain the input for a given output. Rainbow tables are not simple to create. And that fact is important. So, you can create a table for a given hash function and use it to reverse hash functions.
Now let’s talk about salting a hash. Let’s say you have a neat rainbow table for a hash function, and you’re using it to determine all kinds of neat things cough passwords cough. Now, you come across some hashes that have been salted. Welp, feel free to throw away your table because you’ll need to completely recompute it to break these new hashes REGARDLESS IF YOU KNOW THE SALT OR NOT. So, you may think that simply salting a hash with say, a timestamp won’t work because it is too simple, however, the simplicity has nothing to do with it. It has to do with the fact that a new rainbow table is needed for every new salt. Bear in mind, if the NSA or any other sufficiently powerful entity with unlimited funding is trying to hack you, then odds are, they are going to be successful (I only need 1000TB of hard disk space, and a server farm to compute this thing? No problem). Doing something as simple as salting a hash with a timestamp is generally good enough to keep most hackers out of your system.
8/25/2017 Edit
Wow. Just wow.
it is impossible to obtain the original data, regardless if it is cryptographically secure or not
This is so incredibly wrong. You can absolutely obtain original data from a hash function, be it cryptographically secure or otherwise.
Why is that? Because the same string will net the same hash every single time. For example, if I give you a hash DEADBEEFDEADBEEFDEADBEEF, you have no idea what the original string was. However, you could take a wild guess, say TurkeyFriedChicken. If the hashing algorithm spits out DEADBEEFDEADBEEFDEADBEEF, then you have a pretty good idea that the original string was TurkeyFriedChicken.
So then, what is the difference between a cryptographically secure hashing algorithm and one that is not cryptographically secure? Well, it may seem odd, but primarily, the difference is speed cryptographically secure hashing algos take a long time, cannot be sped up through parallelization, and just suck in general. The current best cryptographically secure hashing algorithm is Argon2, so if you want to learn more, click on that link.
I’m not sure if I should be embarrassed about having no idea what I’m talking about, or if it just indicates how incredibly difficult it is to find pertinent information about this kind of crap >:(