2

I understand the pepper concept of adding but not storing a secret and iterating through the set of possible secret values for verifying.

But is pepper also useful when it comes already to the use of key stretching algorithms?

Key stretching is used to make a (possibly) weak secret more robust against brute force attacks by increasing the validation time. The pepper method has the same purpose. Does it make sense to combine this techniques? Following the important security principle keep it simple, I would expect that e.g. stretching a password with PDKDF2 and a higher iteration value is better than combining pepper and PDKDF2. Is this assumption correct or do I miss an important aspect? Thx.

User01638
  • 57
  • 4

1 Answers1

3

A pepper is similar to a salt, but it is kept secret. So while the salt is stored in the DB the pepper is kept elsewhere, for instance in the code that verifies the password hashes.

A pepper can be used anywhere where a salt is present - mainly PBKDFs: password based key derivation functions. It makes somewhat less sense for KBKDF's: key based key derivation functions as the input secret of KBKDF's is already a key and you would expect it to be kept secure as it is.

The pepper is not really a method, it is just an addition to the salt. The salt is still required as the pepper is generally static. That would mean that identical passphrases would generate the same password hash or symmetric key.

The pepper doesn't increase the work factor / iteration count (much) but it does make it impossible for an attacker to perform the calculations while the pepper is not known. Basically the pepper acts as a secret key that is required to perform the calculations.

Stretching the password using an iteration count is a different way of protecting the password. These are two different ways of making a PBKDF more secure; they do not directly influence each other.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323