2

I've seen the term 'key hardened hash' used to describe a recommended way to tighten up password hashing. What does this mean? Can it just mean to use a pepper?

Chris Halcrow
  • 131
  • 4
  • 4
    Can you provide any links to resources you've seen using a key-hardened hash? I've never heard of it before myself, and a quick Google didn't return anything useful.

    On a side note, I think you mean "salt", not pepper. :P

     – Wrycu Mar 16 '15 at 02:16
  • 1
    @Wrycu When a secret key is included in the salt, it can be called pepper - "Some people advice to add a secret key into the mix (sometimes called 'pepper'). Where the pepper is a secret, high entropy, system-specific constant." ( http://security.stackexchange.com/questions/3272/password-hashing-add-salt-pepper-or-is-salt-enough ) – cutrightjm Mar 16 '15 at 04:06
  • 1
    This may also be about HMAC – Henning Klevjer Mar 16 '15 at 09:57
  • 1
    The salt is usually per hash whereas the pepper is something per system. Can be used and setup in many ways, but one concept is that if you grab the hash and salts stored in the db, and don't compromise outside of the db to get the pepper, then the hashes will be nearly impossible to rainbow table / brute force, etc. – Eric G Mar 17 '15 at 17:00
  • 1
    @chris halcrow I would also like to see a link or reference. It may mean pepper or it may have something to do with running it through an HSM - or it may be just another ambiguous non-standard term. – Eric G Mar 17 '15 at 17:01

1 Answers1

1

I'll suggest an answer to my own question. Perhaps I'm essentially helping to define a term that has been introduced elsewhere. If we take the definition of 'hardening' in security as:

hardening is any one of a variety of measures taken to make it more difficult for an intruder to circumvent the authentication process

Then 'key hardening' is any action with the intent of making it more difficult to act against the cryptographic hash function by introducing a cryptographic key that is used with the hash function. The standard means for doing this is using an HMAC https://en.wikipedia.org/wiki/Hash-based_message_authentication_code

Chris Halcrow
  • 131
  • 4