Reputation: 58
Should we salt informations that are unique and random
Salt is used when storing passwords in databases in order to protect against dictionary attacks and rainbow tables.
However, let's assume we need to store unique and random (sensitive) information about users. Is there still an advantage in salting this information before hashing it ?
Wouldn't salt use, in this case, just add randomness to an already random data (unlike man-typed passwords) ?
Upvotes: 1
Views: 172
Answers (2)
Reputation: 299455
This depends very heavily on the size of the search space. For example, we could pretend that social security numbers are both random and unique (they're not actually either, but for the purpose of this discussion we will pretend they are). If you're hashing SSNs, not only do you need a salt, but a salt isn't sufficient. Why? Because there are fewer than 10 billion SSNs in existence. Creating a rainbow table for those is trivial. Even with a salt, it isn't that hard to brute force, even if the values are unique and random.
So to protect a random and unique value that lives in a small search space we have to use a stretching algorithm like PBKDF2, not just a hash. The point of a stretching algorithm is to make computing the hash very slow.
Stretching algorithms always include a salt. But it doesn't have to be a random salt. It could be deterministic (some database identifier + the user id for example, "com.example.mygreatapp:alice"). But for a small search space, you still need it to be unique per user because there are so few items in the search space.
On the other hand, if your random and unique data represents a large search space (not less than 2^64, and ideally at least 2^80), and that search space is sparse (you only use a very small fraction of legal elements), then salting and stretching is likely not required.
Upvotes: 1
Reputation: 1086
It depends on how confidential your information is and what are the consequences when this data is compromised. Is it a PII information like SSN or DOB?
You mentioned that your data is random and unique. Which means it is difficult to identify a pattern. If the pattern is random enough then Salting your data may not be required. if you go with salting, then you will have an added responsibility of protecting those salts as well.
I would recommend to use low privileged account, hardening of server, authentication, authorization to protect your data and minimize the surface of attack.
Again, you should come to the conclusion after classification of your data based on CIA principles.
Upvotes: 1
Related Questions
- Random string vs hashed and salted string
- How to handle salts that can't be random? A deterministic salting strategy
- Does a single Salt provide any additional security?
- Does hashing the salt add any security?
- Is it okay to store salts with hashes?
- Unique generated SALT for each user?
- Hashing multiple values - most secure method?
- Does salt need to be random to secure a password hash?
- Do I need a "random salt" once per password or only once per database?
- Do I need to Salt and Hash a randomly generated token?