[Opendnssec-develop] getting rid of HSM callsfrom the communicator

Roy Arends roy at nominet.org.uk
Thu Sep 10 09:19:51 UTC 2009


Rick van Rein wrote on 09/10/2009 10:09:13 AM:

> Salt is used to make dictionary attacks harder, and the more generic
> a dictionary can be used, the more likely such an attack becomes.

The input to the hash function is unique per deployment, regardless if 
everyone uses the same salt.

> So, in order to be less predictable, salts must be changed as often
> as is practical, 

In order to change it, you'd need to have a salt first. And that salt can 
be the same for everyone.
The changing over time needs to be a change from the _previous_ salt.

> ideally every time before using it.

Again, why _before_ using it?

> Installing a system with the same salt everywhere is exactly as good
> as not salting at all.

Right. The same is true for the same salt every. Only when you change the 
salt, salting becomes valuable.

Kind regards,

Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090910/1abf8a96/attachment.htm>


More information about the Opendnssec-develop mailing list