Other than using servers to protect the contents of digests, explain two methods used to protect password digests. Use one example for each method in the explanation.
1. Salting: Salting is a technique that involves adding a random value called a "salt" to the password before hashing it. This salt value is then stored alongside the password digest. By adding a unique salt to each password, even if two users have the same password, their digests will be different due to the individual salts. This technique enhances security because it mitigates against rainbow table attacks, where an attacker precomputes the hash values of common passwords and then looks for matches in stolen password digests.
For example, let's say a user sets their password as "password123". Without salting, the password would be hashed and stored as a digest in the database. However, with a salt, the password could be transformed into something like "password123" + "salt5678" = E21B89B23A6044045E4C7F83D4179DAC and stored alongside the salt value "salt5678". This way, even if another user has the same password, the digest would differ due to the different salts.
2. Key stretching: Key stretching involves applying an algorithm that iteratively performs hashing a specific number of times. This technique aims to make password cracking attempts computationally expensive and time-consuming, as it significantly slows down the hashing process for each user. By repeatedly hashing the digest, the attacker needs significantly more computational resources to crack a password.
For instance, PBKDF2 (Password-Based Key Derivation Function 2) is a commonly used key stretching algorithm. It applies multiple iterations of a cryptographic hash function, such as SHA-256, along with a salt value. Each iteration of the function takes the output of the previous iteration as its input. By repeating this process a certain number of times, the resulting digest becomes much harder to crack.
For example, PBKDF2 with 10,000 iterations might apply the SHA-256 hash function over and over for every iteration. This significantly increases the time and computational resources required to compute the final digest, thereby making it more difficult for an attacker to reverse-engineer the password.