15,741,752 members
See more:
Hi does somebody have some demo code preferably in C# or secondly in Delphi/Pascal on how I could implement Key Strengthening and not Key Stretching like it is explained on Wikipedia.

My Idea was using a random or cryptographic random function to generate x amount of bytes(SALT).
However would I not have to process/hash the SALT and leave some hint as to what the correct answer is. Because how will I brute force the correct random bytes/SALT if I do not leave a clue to what the correct answer is ?

And how do I make the clue in such a way that I the original creator of the random bytes/SALT have an advantage over lets say a competing party which is also trying to brute force the random bytes/SALT.

Also how do I determine the size of x amount of bytes must they always be fixed ? Seeing that the larger the amount of bytes the longer it will take to brute force recreate them.

This is a hypothetical idea I am sitting with not a requirement for any encryption.

Any replies will be welcome.
Posted

## Solution 1

It wouldn't strengthen it.

The reason for the random salt is to prevent creating a rainbow table. If you use a derived salt you would weaken the encryption.

For example, it would render the result of GetSalt("Foo") to be "Bar". But it would always be "Bar"! There is nothing random about it. So there is always just a single salt making it very easy to use rainbow tables again because of the 1 on 1 relation between them.

Good luck!

UweOeder 9-Jun-14 5:31am
I see what you are saying. However I want to truly generate a random salt not derived by the key in anyway. I was thinking more in the lines of random generating a salt. Hashing the salt and encrypting the hash and throwing away the original salt ofter use. In that way anybody attempting to determine the salt would first have to figure out the what is the correct hash before they can determine what is the correct random salt.

## Solution 2

I think I will attempt to solve this in the following way.
Step.1 Get KEY form user.
Step.2 Generate random SALT.
Step.3 Use KEY and SALT for whatever cryptographic purpose.
Step.4 Hash SALT. (Any SHA-3 hash should suffice.)
Step.5 Encrypt Hash with KEY.
Step.6 Permanently delete HASH.

This however forces the user to store the encrypted HASH of the SALT with the newly encrypted text.
I can see no problem with this as the following applies. The SALT is truly random and derived via any method. The HASH of the SALT is encrypted so that any possible attacker would first have to derive the correct HASH without he cannot derive the randomly generated SALT. This will however force the user also to start brute forcing the random SALT as hashing is a one way function.

To the best of my knowledge I think this will work.