CODEWITHSUNDEEP
.netenterprise-libraryhashsalt-cryptography
DoniDarkok
DoniDarkok

Reputation:

What is the salt in Enterprise Library HashProvider ? (SaltEnabled key)

How is the salt generated in HashProvider in Microsoft Enterprise Library when we set SaltEnabled?

Is it random to new machines? Is it some magic number?

(I know what is a salt, the question is what's the actual value of a/the salt in Enterprise Library HashProvider)

Upvotes: 3

Views: 1408

Answers (4)

Gareth Stephenson
Gareth Stephenson

Reputation: 63

I replied to a similar question regarding the Enterprise Library and the salt value it uses for hashing.

You can view it here: https://stackoverflow.com/a/27247012/869376

The highlights:

  1. The salt is a randomly generated 16 byte array.
  2. It is generated via the CryptographyUtility.GetRandomBytes(16); method in the Microsoft.Practices.EnterpriseLibrary.Security.Cryptography namespace. This eventually calls a C library method called [DllImport("QCall", CharSet = CharSet.Unicode)] private static extern void GetBytes(SafeProvHandle hProv, byte[] randomBytes, int count);
  3. The first 16 bytes of the Base64 encoded string is the salt that was used to hash the original value

Upvotes: 0

xr280xr
xr280xr

Reputation: 13302

So I'm a couple years too late, I guess, but my understanding is that a new random salt value is created every time you create a hash.

Upvotes: 0

Corbin March
Corbin March

Reputation: 25714

Edit:

See Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.HashAlgorithmProvider for an example implementation. Hashing steps are:

  1. If SaltEnabled, generate random bytes for the salt length using RNGCryptoServiceProvider.
  2. Append the salt to the plaintext.
  3. Hash the salted plaintext.
  4. Then (this is the important step), append the salt again to the hash.

To compare against hashed text, you must use: 

public bool CompareHash(byte[] plaintext, byte[] hashedtext)

versus rehashing and comparing. If you rehash, a new random salt is generated and you're lost.

CompareHash does the following:

  1. Pulls the non-hashed salt off the hashtext. Remember, it was appended at step 4 above.
  2. Uses that salt to compute a hash for the plaintext.
  3. Compares the new hash with the hashedtext minus salt. If they're the same - true, else false.

Original:

"if salt is enabled on a HashProvider, the provider will generate a random sequence of bytes, that will be added to the hash. If you compare a hashed value with a unhashed value, the salt will be extracted from the hashed value and used to hash the unhashed value, prior to comparison."

and

"As for decoding as hash-value. this cannot be done. after creating a hash there should be no way to reverse this into the original value. However, what you can do is compare an unhashed-value with a hashed-value by putting it through the same algorithm and comparing the output."

From http://www.codeplex.com/entlib/Thread/View.aspx?ThreadId=10284

Upvotes: 4

Andrei Rînea
Andrei Rînea

Reputation: 20780

Slightly offtopic :

This salt is used to prevent Rainbow attacks. A rainbow attack is a type of attempt to find out what was the string for which this hash has been computed based on a very large (exhaustive / several gigabytes usually) dictionary of precomputed hashes.

'Uncle' Jeff has a blog entry about this.

Additionally you could look up Wikipedia :

http://en.wikipedia.org/wiki/Rainbow_table

Upvotes: 0

Related Questions