Score:0

Crypto

Does my SHA-256 TableSalt algo give away the seed salt?

Babak Farhang

10/11/22, 11:07 PM

The Setup

I have a table of values for which I need to compute a salted hash for each table-cell value. Furthermore, I need the salt for each table cell to be unique and unpredictable. (I can explain what motivates this need later, but for now I don't want to distract from the problem statement.)

Now I don't want to add an extra column per existing column in a table just to store this unique, per-cell salt. So a simple strategy I have in mind is to first generate a secret, secure random 32-byte sequence for the entire table, call it R_32, and then for any given cell compute its salt as the SHA-256 of R_32 concatenated with the cell's row/column coordinates. In pseudo code this look like

tableSalt(row, col) = SHA_256( R_32 + row + col )

where + here is taken to mean byte-string concatenation, not addition. (The row/column coordinates are represented as 8-byte values each.)

Question

In my application it's critical that the secret seed hash R_32 above not be reverse-engineerable, no matter how many different cell-salts from the same table are known. Is the tableSalt procedure above secure in this respect?

1 + 3

hash

salt

sha-256

bk2204

10/11/22, 11:12 PM

I would use HMAC in this case to compute the salt and then use the salt as the key for a second HMAC to compute your salted hash. That will definitely be secure, and it uses more standard techniques that are going to be easier to audit.

Babak Farhang

10/12/22, 12:00 AM

My concern actually lies with any known weaknesses in SHA-256 (deviations from an *ideal* cryptographic hash function) when used with those fixed-width, low-entropy, 16-byte appendages to the seed above. It's that, that worries me.

Meir Maor

10/12/22, 5:03 AM

It's probably ok as is, but HMAC is better, it will ensure sufficient mixing happens after adding the corrdinates, makes it ublikely the different salts will be related in a problematic manner. Also SHA3 is betterr in this regard.

Score:0

Crypto

Meir Maor

10/12/22, 6:44 AM

Is it secure? Yes, as in this basic setup is used elsewhere and I'm unaware of any practical attacks. However SHA256 isn't the best choice. It's basic structure doesn't mix in the suffix as well as we might want. An HMAC structure or simply use SHA3 with a sponge structure would be better but even as written I don't believe the salts will be related in an exploitable fashion.

0 + 4

Babak Farhang

10/12/22, 4:04 PM

Thank you for your answer. I don't have enough karma points to mark your answer up. (Kinda strange, given it's *my* question and I was allowed to post it :) What's this "sponge-structure" you mention? Also, for the purpose of "mixing", is there much advantage in nesting the computation, as in Hash(Hash(content + row) + column)) ?

Meir Maor

10/12/22, 4:27 PM

You can mark as approved. with a check even if you can't upvote. The nesting would mean apply a full hash after adding the low entropy part hash(hash(master seed+row+column)). this is particularly useful for merkel damgard constructs. But SHA3 it probably isn't needed it is: https://en.m.wikipedia.org/wiki/Sponge_function

Babak Farhang

10/12/22, 5:10 PM

Thanks very much for the link and the pointer about the ability to mark a closing answer. Re *hash(hash(master seed+row+column))* instead of *hash(hash(master_seed + row) + column)* Was that a typo? Cuz I always thought the hash of a hash is no more secure than the original hash.

Meir Maor

10/12/22, 7:53 PM

It'a not equivalent because it gets the high entropy seed mixed in more thoroughly. but what I wrote wad in fact not "correct"/best it should be like hmac. hash(seed + hash(seed+location)). But really since I can't actually attack even your original formulation these improvements may not be necessary.