-
[암호화] Salting공부 기록/IT 기술 2022. 7. 11. 09:18728x90
https://sjparkk-dev1og.tistory.com/88
사용자 비밀번호 암호화 - Hash & Salt
들어가며 웹 프로젝트를 하다보면 사용자의 비밀번호를 다루게 되는 일이 생긴다. 이 프로젝트가 실제로 서비스가 되고 있는 프로젝트라면 사용자의 비밀번호를 다루는 일은 보안상에 있어서
sjparkk-dev1og.tistory.com
암호화의 한 방법인 hash의 단점을 극복하기 위한 방법.
Hash는 암호화를 hash 알고리즘(SHA-1 등..)을 이용한 함수로 데이터를 무작위 값으로 변환하는 암호화 기법이고, 이렇게 나온 암호화된 데이터를 다이제스트라고 함.
해커들이 다이제스트 값들을 통해 테이블을 만들어 원본 데이터의 추정이 가능하게 되었고, 이를 보완하기 위한 방법으로 솔팅 기법이 나온다. 바로 해시함수를 돌리기 전 무작위 문자열을 추가하는 것.
참고:
https://en.wikipedia.org/wiki/Salt_(cryptography)
Salt (cryptography) - Wikipedia
Random data used as an additional input to a hash function In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase.[1][full citation needed] Salts are used to safeguard pas
en.wikipedia.org
In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase.[1][full citation needed] Salts are used to safeguard passwords in storage. Historically, only a cryptographic hash function of the password was stored on a system, but over time, additional safeguards were developed to protect against duplicate or common passwords being identifiable (as their hashes are identical).[2] Salting is one such protection.
A new salt is randomly generated for each password. Typically, the salt and the password (or its version after key stretching) are concatenated and fed to a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows later authentication without keeping and therefore risking exposure of the plaintext password if the authentication data store is compromised. Note that due to this, salts don't need to be encrypted or stored separately from the hashed password itself, because even if an attacker has access to the database with the hash values and the salts, the correct use of said salts will hinder common attacks.[1]
Salts defend against attacks that use precomputed tables (e.g. rainbow tables),[3] as they can make the size of table needed for a successful attack prohibitively large without burdening users. Since salts differ from one another, they also protect redundant (e.g. commonly used, re-used) passwords, as different salted hashes are created for different instances of the same password.
Cryptographic salts are broadly used in many modern computer systems, from Unix system credentials to Internet security.
Salts are closely related to the concept of a cryptographic nonce.
-> 여기서 nonce가 등장한다. 인증(authenticaion) 프로토콜에서, replay attack을 방지하기 위해 생성한 임의의 값(arbitrary number used just once in a cryptographic communication). nonce이 뜻이 number once란 사실을 처음 알았다. 한번만 사용되므로 이전의 커뮤니케이션(old communications)에서는 사용될 수 없다.
v. safegard passwords in storage. n. additional safeguards
in storage, in a database
risking exposure of the plaintest password, if xx is compromised.
the salt and the password are concatenated and fed to a cryptographic hash function, (string concatenation 문자열 접합, 두 문자열을 하나의 문자열로 만드는 연산)
'공부 기록 > IT 기술' 카테고리의 다른 글
[Docker] 컨테이너 생성, 목록 확인, 삭제 (0) 2022.10.03 CORS (0) 2022.07.26 HTTPS와 SSL 인증서 (0) 2022.01.06 인증(authentication)에 관한 모든 것 (정리중) (0) 2020.06.11 session과 token based authentication의 차이점 (0) 2020.05.04