[Opendnssec-develop] getting rid of HSM callsfrom the communicator
roy at nominet.org.uk
Thu Sep 10 09:19:51 UTC 2009
Rick van Rein wrote on 09/10/2009 10:09:13 AM:
> Salt is used to make dictionary attacks harder, and the more generic
> a dictionary can be used, the more likely such an attack becomes.
The input to the hash function is unique per deployment, regardless if
everyone uses the same salt.
> So, in order to be less predictable, salts must be changed as often
> as is practical,
In order to change it, you'd need to have a salt first. And that salt can
be the same for everyone.
The changing over time needs to be a change from the _previous_ salt.
> ideally every time before using it.
Again, why _before_ using it?
> Installing a system with the same salt everywhere is exactly as good
> as not salting at all.
Right. The same is true for the same salt every. Only when you change the
salt, salting becomes valuable.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop