3

For optimum security, a random salt should be chosen for PBKDF2.

I came across a scenario where I produce a hash of a random file that serves as the "password". Due to the nature of files, this has similar entropy issues as a "normal" password.

What would happen now if I decided to take the same (low-entropy) hash as the salt, too? Is there a known attack on this? Of course, in this scenario the salt would be kept secret. But still, since it is not entirely random, does this compromise the overall security, and if so, how badly? I know that for example "key as IV" severely compromises certain ciphers, so I'm afraid it could do harm in this situation, too.

David Cary
  • 5,744
  • 4
  • 22
  • 35
emboss
  • 263
  • 1
  • 8

1 Answers1

4

Using the password itself (or anything similar predictable) instead of an independent random value as the salt denies the whole benefit of salt:

  • Same passwords (passphrases) give now the same key, instead a different one. So, if two users happen to choose the same favorite image as their password, they get the same key, and thus an attacker can use this fact to easier get the key.
  • If an attacker bruteforces your "password" database, he can attack multiple passwords in parallel, since they don't use different (independent) salts.

If you have a way to generate good quality random numbers (which should be the case on every normal personal computer), generate a random salt and put it at the start of your encrypted file (like a normal initialization vector).

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119