How much entropy is there in SHA2(RAND(), 256)?

Question

How many bits of entropy will

SELECT SHA2(RAND(), 256);

generate?

(Actual question: Is this a reasonable way of generating a random salt for a password?)

Answer 1

Let's break this down.

SHA2 can refer to one of 4 algorithms:

• SHA224 - 224 bits of output
• SHA256 - 256 bits of output
• SHA384 - 384 bits of output
• SHA512 - 512 bits of output

So they each take an arbitrary input (0 to 2^64-1 bits of data), and produce an output of a fixed size.

Note that no entropy is actually created here. However, when feeding in more than the output size bits of entropy, some is destroyed. And when we take into account the (small) possibility of collisions, sometimes inputs smaller than the output size can have entropy destroyed. Therefore, we can say that each function places an upper bound of entropy as its output size.

So hashing can't increase entropy. So that means our upper bound on entropy is the lesser of the output size of the hash, and the size of the input.

Now, your input is RAND(). Assuming that you're referring to MySQL's RAND() function, let's look at what's happening. The RAND() function produces a floating point result. Now, MySQL uses a 4-byte floating point value for FLOAT data types. That means that at most, the result contains 32 bits of entropy.

Therefore, the combination is already down to an upper bound of 32 bits of entropy.

Thanks to the Birthday Paradox, at 32 bits of entropy, we're at a 50% chance of a collision in just 7,000 generations. That's way too low for an effective salt...

And that doesn't even touch the fact that RAND() is predictable (which isn't the end of the world in the case of a salt).

Instead, just use a library to handle the generation for you. In PHP, I'd suggest password-compat or phpass.

In other languages, I am not sure. But seriously, don't reinvent it. Just use a library (preferably one that uses bcrypt or scrypt) and be done with it.

Answer 2

The hash function SHA2 will not add any entrophy to the resulting salt, it just brings the result of rand() into another form. That means, all depends on the rand() function and it's implementation.

The function rand() is of course not random, if you know the state of the function (the last result), you can predict the next generated value. The state itself is based on a seed, sometimes this seed is set automatically by the application. PHP for example creates a seed from the current time and the process-id. Note that those values are somewhat predictable too, or at least will narrow down the range of possible results.

I don't know the MYSQL implementation of rand, but i would not recommend to use its rand() function to generate a salt. Actually i would never let the database generate the salt or the hash value of a password, because most databases do not provide an appropriate way to hash passwords. Instead use the development environment with a slow key-derivation function like BCrypt, such functions often create a safe salt automatically.

To answer your question, uniqueness is the main purpose of the salt, so there are weaker ways to generate a salt. Better would be a salt that is unpredictable too, so nobody can precalculate the salt (ranges of possible salts), and therefore can prepare an attack. The best way to get a salt is, to use the random source of the operating system (URANDOM).