Remix clone Hacker News

new | show | ask | jobs Github

	▲	kbolino 9 days ago
		There are at least as many ways to pepper as there were to salt before salts became integral to the definition of a good KDF. To wit: `KDF(password, salt XOR pepper, ...) KDF(password + pepper, salt, ...) KDF(password, AES128(salt, pepper), ...) KDF(HMAC-SHA256(password, pepper), salt, ...) ...` And no, you cannot always pepper. To use a pepper effectively, you have to have a secure out-of-band channel to share the pepper. For a lot of webapps, this is as simple as setting some configuration variable. However, for certain kinds of distributed systems, the pepper would have to be shared in either the same way as the salt, or completely publicly, defeating its purpose. Largely these are architectural/design issues too (and in many cases, bcrypt is also the wrong choice, because a KDF is the wrong choice). I already alluded to the Okta bcrypt exploit, though I admit I did not fully dig into the details. The HMAC-SHA256 construction I showed above, and similar techniques, accomplishes both transforming the input and peppering the hash. However, the others don't transform the input at all or, in one case, transform it in a way even worse for bcrypt's use.