3

I can attempt to define the term 'pepper' as:

In cryptography, a pepper is a something that is added to another value (for example a password) prior to a the value being hashed using a cryptographic hash function. A pepper can be added to a password in addition to a salt value. A pepper performs a similar role to a salt, however whereas a salt is commonly stored alongside the value being hashed, for something to be defined as a pepper, it should meet one of the following criteria that define it a more carefully hidden 'secret' than the salt value:

  • The pepper is held separately from the value to be hashed
  • The pepper is randomly generated for each value to be hashed (within a limited set of values), and is never stored. When data is tested against a hashed value for a match, this is done by iterating through the set of values valid for the pepper, and each one in turn is added to the data to be tested (usually by suffixing it to the data), before the cryptographic hash function is run on the combined value.

Is there a resource that can verify this as an authorative meaning of the term or otherwise? The articles I'm seeing on Goole aren't very authorative on the meaning of the term and are mutually contradictory in cases, so I'm deriving the definition above based on what's seemingly common in the software development community's understanding of the term 'pepper'.

Chris Halcrow
  • 131
  • 3
  • 2
    I've never met the second usage, of pepper as forgotten salt. I can imagine it occurring accidentally when the salt is lost or becomes somewhat ambiguous. But I can't imagine that designed-in, for it seems to have no advantage whatsoever compared to bumping iteration count. – fgrieu Mar 30 '15 at 07:10
  • 1
    @RichieFrame Forgive me, but isn't giving an advantage to systems with more cores the opposite of what you want? The less parallel an attack, the more expensive it becomes. – orlp Mar 30 '15 at 09:20
  • 1
    @orlp not if you are the defender and can make use of multiple cores, as password hashing is generally a single core operation. in this case the pepper forces both the defender and attacker to perform 8 operations, and the defender completes it in the same amount of time as if they had to do 1, but now the attacker will take 8 times longer for each attempt, of which they need to do a substantial quantity – Richie Frame Mar 30 '15 at 10:51

1 Answers1

3

I have found one source that claims to have invented the word "pepper".
-- But this doesn't mean that they were the first or the only inventors. I guess it may have been invented and reinvented several times.

1999 Paper
Kedem, G., & Ishihara, Y. (1999, August 23-26). Brute Force Attack on UNIX Passwords with SIMD Computer. Paper presented at the 8th USENIX Security Symposium, Washington, DC.

They invent "pepper" on page 6 like this: (line breaks added for readability)

The main idea is to add random bits to the password encryption, similar to the “salt” bits that are currently used to protect passwords against dictionary attacks.

We call the new bits: “pepper” bits. Unlike the “salt” bits that are saved with the encrypted password, the pepper bits are used to encrypt the password, but are never saved.

But I think there are likely to be many different definitions of the term "pepper", simply because people know what "salt" is and like to extend analogies.

I don't think K&I's 1999 definition ever really caught on. To me at least, "pepper" is a cryptographic secret, that is stored but stored somewhere else than the salt.

Community
  • 1
StackzOfZtuff
  • 265
  • 2
  • 8