49

In the question about real vs. fake salt, the answers describe how real salt 'perturbs the encryption algorithm.' I know roughly how initialization vectors work; is this the same concept, or something different entirely?

Community
  • 1
Bryan Agee
  • 1,186
  • 1
  • 10
  • 17

2 Answers2

60

A salt and an initialization vector are mostly the same thing in the following sense: they are public data, which should be generated anew for each instance (each hashed password, each encrypted message). A salt is about being able to use the same password several times without opening weaknesses; or, if you prefer, preventing an attacker from sharing password attack costs in case the same password could have been used on several instances -- which is all what precomputed (rainbow) tables are about. The point of an IV in, say, symmetric encryption with CBC, is to tolerate the use of the same key to encrypt several distinct messages.

The name "initialization vector" hints at a repetitive process over a given internal state, the IV being what the state is initialized at. For instance, the MD5 hash function is defined as repeated action of a compression function which takes as input the current state (128 bits) and the next message block (512 bits), and outputs the next state value; at the beginning, the state is initialized to a conventional value which is called "the IV". In that sense, most "salts" used in password processing are not "initialization vectors". But this is a bit of an overinterpretation of the expression.

Still, naming things is mostly a matter of Tradition. A "salt" is a kind of IV which:

  • is involved in some processing of a password;
  • should be distinct for each processing instance (it cannot be a fixed conventional value);
  • only needs uniqueness ("it is not repeated"), not uniform selection among the space of possible salts (although uniform random selection is a good and cheap way to get uniqueness with overwhelming probability, assuming that the salts are long enough).

The particulars (how the salt/IV is exactly inserted and at what point in the algorithm) are a red herring.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 6
    It took me a long time to understand MD5 as a statefull compression algorithm, and you've just given that hard won knowledge away in one nice sentence! Now everyone will think cryptography is easy because you explain it too well. – this.josh Aug 10 '11 at 07:24
  • 2
    I'm still confused. If I encrypt using AES-CBC with a constant IV but prepend a salt to the message, is this the same as encrypting using a random IV and not prepending a salt to the message? – Didier A. Mar 07 '14 at 22:07
  • 3
    @didibus: It is not _exactly_ the same, but it looks like it. If you use a fixed IV _v_ and prepend a 16-byte salt _s_, then the overall effect for the remaining of the data is equivalent to an IV _v'_ = AES(_v_ xor _s_). Since AES is a permutation on 16-byte blocks, that _v'_ is as uniformly distributed (and unpredictable) as _s_ was. – Thomas Pornin Mar 08 '14 at 12:39
3

The answer above is correct when "salt" is discussed in the context of passwords. However, the term "salt" is also used for other uses of random but non-secret values.

For a very rigorous treatment of salt, pertaining to randomness extractors, read Cryptographic Extraction and Key Derivation: The HKDF Scheme. There is some theory there as to why the use of salt is mandatory to obtain generic randomness extractors - although this is not terribly relevant in the case of passwords.

Nakedible
  • 4,501
  • 4
  • 25
  • 22