Comments (8)
Salting the master passphrase protects against pre-computed hash attacks. You can read more about it here PBKDF2.
Does that help?
from crypt_keeper.
@robotvert any other questions?
from crypt_keeper.
Well, I know what a salt is for. I know about rainbow tables and such.
Another benefit of the salt, as I wrote, is to prevent the data from "looking" the same even if 2 different records have the same data.
Hence my question: Isn't that salt's feature rendered useless by making it a shared value across all records?
from crypt_keeper.
No, it is not rendered useless.
On Apr 24, 2014, at 10:44 PM, Julien Feltesse [email protected] wrote:
Well, I know what a salt is for. I know about rainbow tables and such.
Another benefit of the salt, as I wrote, is to prevent the data from "looking" the same even if 2 different records have the same data.
Hence my question: Isn't that salt's feature rendered useless by making it a shared value across all records?—
Reply to this email directly or view it on GitHub.
from crypt_keeper.
ok
from crypt_keeper.
@robotvert you're not wrong about salting the plaintext, but that is a much different issue. This deals strictly with the passphrase. You're never suppose to use the passphrase as the actual password, it's bad practice for the reasons I stated above. I highly recommending reading through the PBKDF2 article.
I also wanted to point out that most of the encryptors are utilizing random initialization vectors which means that the same plaintext encrypted multiple times yields different ciphertext. Here is an example below:
irb(main):009:0> c = CryptKeeper::Provider::AesNew.new(key: 'test', salt: 'test')
=> #<CryptKeeper::Provider::AesNew:0x007fe6c5a62b70 @key="a30964f784f3b5398d883f558f0c9aae8e12faaafdbd37c53512713421ae6e67e31fdfabee70c9013487c3788640f8af5940b08adc56a8b3153b7126e8c3c08a">
irb(main):010:0> c.encrypt('test')
=> "HcZ/kO4inzHn5pYyRoA7Nw==$2OGqpF3WtfAuxt8q0prK6g=="
irb(main):011:0> c.encrypt('test')
=> "LaotoV4DLRAGmRnNZojEOg==$IX7tosNripCc5yGGe++yOg=="
irb(main):012:0> c.encrypt('test')
=> "YKXoxdcqkPCBdKOmzhb81w==$tpYp/9BePZKm27poadKBYA=="
irb(main):013:0>
I certainly do appreciate you voicing your concerns. Do you have any other feedback or thoughts?
from crypt_keeper.
Thanks for the explanation, it's much clearer now 👍
from crypt_keeper.
@robotvert no problem. I'm closing this issue out, if you need clarification on anything else, let me know.
from crypt_keeper.
Related Issues (20)
- ActiveRecord::SubclassNotFound: Invalid single-table inheritance type: Firm is not a subclass of
- Feature Request: Sorting encrypted attributes
- Failure to support encryption for :string column type HOT 3
- jamming config.active_record.verbose_query_logs = true HOT 1
- Delayed job: ActiveSupport::MessageEncryptor::InvalidMessage HOT 15
- How to use WHERE LIKE queries on encrypted fields? HOT 1
- Rails 6 support HOT 1
- Rails 6 support HOT 9
- ActiveRecord send indavlid data to database using PostgresPgp with binary column type HOT 3
- undefined method `crypt_keeper' for CryptKeeper::Model::ClassMethods:Module
- String length validation for encrypted filed? HOT 3
- Support Rails 6.1.0 HOT 5
- ActiveSupport::MessageEncryptor::InvalidMessage after upgrading from Rails 5.2.6 to 6.0.4 HOT 2
- Devise & Crypt-Keeper for same model HOT 2
- Incorrect rails 7 dependency specified in Gemspec HOT 5
- crypt_keeper re-encrypts attributes on every save HOT 1
- Cannot have multiple encryptors on one model HOT 2
- Allow rails 7.0.X HOT 3
- `decrypt_table!` fails with unencrypted data
- crypt_keeper 2.3.0 not compatible with rails 7.0.8.4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crypt_keeper.