Page 468 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 468
on a system in hashed form.
Specialized, scalable computing hardware designed specifically for
the conduct of brute-force attacks may greatly increase the
efficiency of this approach.
Salting Saves Passwords
Salt might be hazardous to your health, but it can save your
password! To help combat the use of brute-force attacks, including
those aided by dictionaries and rainbow tables, cryptographers
make use of a technology known as cryptographic salt.
The cryptographic salt is a random value that is added to the end of
the password before the operating system hashes the password.
The salt is then stored in the password file along with the hash.
When the operating system wishes to compare a user’s proffered
password to the password file, it first retrieves the salt and appends
it to the password. It feeds the concatenated value to the hash
function and compares the resulting hash with the one stored in
the password file.
Specialized password hashing functions, such as PBKDF2, bcrypt,
and scrypt, allow for the creation of hashes using salts and also
incorporate a technique known as key stretching that makes it
more computationally difficult to perform a single password guess.
The use of salting, especially when combined with key stretching,
dramatically increases the difficulty of brute-force attacks. Anyone
attempting to build a rainbow table must build a separate table for
each possible value of the cryptographic salt.
Frequency Analysis and the Ciphertext Only Attack In many
cases, the only information you have at your disposal is the encrypted
ciphertext message, a scenario known as the ciphertext only attack. In
this case, one technique that proves helpful against simple ciphers is
frequency analysis—counting the number of times each letter appears
in the ciphertext. Using your knowledge that the letters E, T, A, O, I, N
