TransWikia.com

Difference between server salt and client salt?

Cryptography Asked by John Chen on December 14, 2020

Basically I am trying to understand the difference between server salt and client salt. I know that the client salt is used to make encryption harder for hackers, but I can’t seem to grasp the concept of a server salt. Does anyone know?

One Answer

Disclaimer: The following is tentative. Before the question I did not knew about client salt.

The client salt is combined on the client side with the password. When that's used, the client no longer sends the password, but a password-equivalent obtained by hashing. Client salt is often deterministic and near-public, e.g. < DNS of the realm, converted to uppercase> | <user name> (other reference). The client salt's role is that compromise of what the client stores or sends, or what the server receives, does not leak the password (other than by exhaustive search requiring a new effort for each user).

The server salt is combined on the server side with the password (or the password-equivalent resulting from a password hash with the client salt on the client side, as above). A common practice is that server salt is random, and secret in whole of part (in which case that's pepper). The server salt's role is that compromise of what the server stores does not leak the password (or other information allowing login such as the above password-equivalent) other than by exhaustive search requiring a new effort for each user and server. Using pepper splits the information necessary to carry this attack in two: the hashed passwords+salts (typically in a database), and the pepper (typically in a config file or source fragment).

Answered by fgrieu on December 14, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP