2

I would like to store password digests in structure that contains information how digest were generated; There will be concatenated these three values:

  1. {Name} of hashing functions used for computing HMAC (e.g. SHA256)
  2. {Salt} - randon 32 bytes of key data
  3. {Digest} - derived digest from {Salt} and cryptographic function {Name}

As divider I would like to use "$" (U+0024, DOLLAR SIGN) and encode it into Base64, this encoded value I would like to store in database.

Something like this:

SHA256${...salt data...}${...digest data...}

Reason why to store hashing function name is because backward / forward compatibility (authenticating).

Question - is information about hash function in this structure a security vulnerability? Is hashing function public knowledge?

jnemecz
  • 155
  • 5

2 Answers2

2

is information about hash function in this structure a security vulnerability? Is hashing function public knowledge?

According to Kerckhoffs' principle the adversary is allowed to know everything about the system except the key, and that includes the algorithm itself. Shannon formulated this as "the enemy knows the system".

Assuming that the system is respecting Kerckhoffs' principle, then your question is actually an assumption in the security analysis. But this depends on what kind of analysis was done for the actual system in question.

If we're looking just at the usage of any of the commonly used, state-of-the-art cryptographic functions (e.g. SHA256), then this is not a problem: The knowledge of the algorithm itself is not a vulnerability. Security is based on the key being secret and nothing else.

tylo
  • 12,654
  • 24
  • 39
1

The security of your scheme must never depend on the secrecy of the algorithm. This is known as the Kerckhoff principle. From that, you can directly conclude, that the hashing algorithm you use, can be made public .If not, your system would have big security problems.

Sidenote: The format you are proposing is awfully close to that used by linux systems in the shadow file. Why reinvent the wheel?

mat
  • 2,508
  • 12
  • 28