Menu
To quote from this wiki article -
An alternative approach, called key strengthening, extends the key with a random salt, but then (unlike in key stretching) securely deletes the salt. This forces both the attacker and legitimate users to perform a brute-force search for the salt value.
I am comfortable with what key stretching does, But I am confused on how key strengthening is achieved. How the key can be validated again if the salt is deleted?
651
The paper on the key strengthening scheme cited in the wiki article is available here.
It seems they're breaking a larger salt up into two smaller salts, a public salt, which is no different than normal salting, and a private salt, which is discarded in order to make password verifications slower. The idea is that all password verifications will be slower because the private salt must always be brute-forced but this will be negligible when the correct password is provided. However, the added processing will slow down brute forcing of the password.
52
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
