30 Mart 2020 Pazartesi

Kriptografide Salt Nedir

Salt Rainbow Table Saldırılarına Karşı Kullanılır
Açıklaması şöyle.
A rainbow table attack uses a list of possible passwords hashed with the same algorithm to compare. So you could theoretically compose a list of common passwords, hash them with an algorithm like BCrypt, and compare those hashes to the actual list of password hashes. The solution to this - salts!
Örnek
Elimizde bir şifre ve cryptographic hash'i olsun
şifre : 123 hash : GBIQ
Eğer bu şekilde saklarsak sık kullanılan şifreleri önceden hash'leyen bir saldırgan şifreyi bulabilir. Açıklaması şöyle.
Someone who hasn't stolen your password database can work out ahead-of-time that GBIQ is the hash of password 123, so they can just make a big database with millions of common passwords with their hashes and compare that to any password database they steal. 
Ama hash metoduna salt'u da girdi olarak verirsek bu saldırıyı yapamaz. Şöyle yaparız
Hash (salt + password)
Açıklaması şöyle. Bu durumda hash şöyle saklanır.
Salt : 111| Hash : P2C/
Açıklaması şöyle.
During the brute force attack, words from the dictionary are hashed with the correct hash algorithm and salt, and then compared to the hash in the database dump. So the attacker needs to know not only the hash value itself, but the algorithm and the salt.
Salt Nedir?

Açıklaması şöyle. Yani rastgele üretilen bir veridir.
salt is simply "random data that is used as an additional input to a one-way hash function." Salts add yet another layer of randomness to our already pretty random crypt.
Pepper Nedir?
Salt dışında bir de pepper kavramı var. Açıklaması şöyle.
In cryptography, a pepper is a secret added to an input such as a password prior to being hashed with a cryptographic hash function. 

A pepper performs a comparable role to a salt, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but a pepper must be stored separately (e.g. in a configuration file) to prevent it from being obtained by the attacker in case of a database breach.
Salt Özellikleri
Açıklaması şöyle.
A salt is:
 -Not secret - Salts are stored in plaintext.
 -Secure - They are generated randomly and are long.
 -Unique - Every user's salt is intentionally different.

A password is:
- Secret - Assuming they do not put it on a sticky note.
- Secure - If it's not hunter2.
 -Unique - Or at least difficult to guess. Ideally, it should be unique.
Salt Hash İle Birlikte Saklanır
Açıklaması şöyle. Burada "Not secret" özelliği anlatılıyor.
The salt is stored in plaintext next to the hash and the same salt is used when checking a password.
Veri tabanında şöyle görünür
id : password_hash : salt
1    abcdxqx         mysalt
Salt Sırası
Şu ikisi arasında bir fark yoktur
Hash (salt + password)
ve
Hash (password + salt)
aynı şeydir.

Salt Üretimi
Java'da SecureRandom.getNextBytes() kullanılabilir. Ancak bu işi yapan kütüphaneleri kullanmak daha iyi. Açıklaması şöyle
The fact that you are generating salts on your own is a red flag. The best way to do this, especially if you have little experience with security, is to use an established library for password hashing.

A well designed library will generate and use salts automatically for you, and it will stor
Salt Olarak Şifrenin Kullanılması- Yapmayın
Bunu yapmamak gerekir. Açıklaması şöyle.
The whole point of a salt is to be unique to a set-password operation, so that attackers can't reuse work when they target multiple accounts (multiple users on the same server, multiple servers, or both). Using the password as the salt completely defeats the purpose.

The salt does not need to be unguessable or secret.

1 yorum: