Error Generating Key Null Salt

Posted on  by

Players should dodge to avoid receiving massive damage, especially since these attacks can overlap and potentially wipe the party.Aetherpath. Route of Aetherpath through the Twilight Arbor. Guild wars access key generator. If your party decides to go after the Aetherblades, you'll continue directly to the Aetherpath rather than pass through the Reception Hall.

  1. Error Generating Key Null Salt Lake
  2. Error Generating Key Null Salt Chart
  3. Error Generating Key Null Salt Point
By: K. Brian Kelley Updated: 2014-07-25 Comments (6) Related: More >Security

The salt generation is as the example in the question. You can convert text to byte arrays using Encoding.UTF8.GetBytes(string). If you must convert a hash to its string representation you can use Convert.ToBase64String and Convert.FromBase64String to convert it back.

  1. The salt should be randomly generated. Since the salt should be randomly generated, this eliminates basic functions derived from date/time or anything of that sort. SQL Server does have a RAND function, which does serve as random number generator. In addition, it can be seeded.
  2. Return salt.toString; You are generating the salt by using “SHA1PRNG” but while returning you are sending the hashcode of salt. So all the efforts made to generate the secure random salt is ruined. Instead construct new string from the salt and return. Private static String getSalt throws NoSuchAlgorithmException.
  3. The salt generation is as the example in the question. You can convert text to byte arrays using Encoding.UTF8.GetBytes(string). If you must convert a hash to its string representation you can use Convert.ToBase64String and Convert.FromBase64String to convert it back.
  4. Never reuse a salt. The salt also needs to be long, so that there are many possible salts. As a rule of thumb, make your salt is at least as long as the hash function's output. The salt should be stored in the user account table alongside the hash. To Store a Password. Generate a long random salt using a CSPRNG.

Problem

I am trying to store password hashes in SQL Server. I know I can generate those hashes using the HASHBYTES() function, but I don't see where it takes a salt. I've been told it's good to have a salt. Is there an easy way to do this?

Solution

Indeed there is. However, first, a caveat. If you can, you want to generate the hash in the application. If you don't, there is the potential for a DBA to be able to see the password using SQL Profiler, a server side trace, or through Extended Events. HASHBYTES() doesn't cause these mechanisms to hide the T-SQL that was passed, as can be seen here: Generate rsa public key.

If you can't do this at the application layer, here's how to do it entirely within SQL Server.

What to Use as a Salt the SQL Server HASHBYTES() function

If you're not familiar with what the salt is when it comes to cryptographic functions, it's basically something added to whatever we're trying to encrypt to make it harder to decrypt the data (two way functions, like symmetric and asymmetric key functions) or find a collision (one way functions, AKA hash functions). The salt should be potentially different for every single piece of encrypted data. The salt should be randomly generated.

Since the salt should be randomly generated, this eliminates basic functions derived from date/time or anything of that sort. SQL Server does have a RAND() function, which does serve as random number generator. In addition, it can be seeded. However, it's a pseudo-random number generator. If you give it the same seed, it'll produce the same results. Therefore, we'll want our potential seed value range to be large.

We can use the time, specifically the hour, minute, second, and millisecond values to generate a reasonable large seed value pool. It is not perfectly random, but nothing ever is when it comes to these functions. Most of the random number generator functions work off of the computer clock and we're basically using that in order to generate the values for our salt. That leads to something like:

Note that I'm generating the seed value by shifting hour, minute, and second values over by powers of ten. Then I'm using the RAND() function to generate a text string of 25 characters. This will be our salt.

Putting It All Together

With the salt generated, it's a simple matter of concatenating the salt and the password, then submitting the combined string into HASHBYTES(). This results in a solution which will store both the salt and the salt+password hash:

As for verification, we'll need to basically repeat the same steps, except we'll retrieve the stored salt from the database.

Testing the Solution

Error Generating Key Null Salt Lake

We can test it both with a relatively normal sized password and with the longest password allowed.

If we get a zero on the return from the stored procedure, we have a match. With a value of 1, we don't. Therefore, if we just run the verification test all at once, we get:

Next Steps
  • Read up on the hashing algorithms presented by HASHBYTES() so you can choose the correct one.
  • Learn how to use authenticators for other forms of encryption within SQL Server.
  • Know how to restrict what the DBAs see with respect to data that needs to be encrypted.

Last Updated: 2014-07-25

Error Generating Key Null Salt Chart





About the author
K. Brian Kelley is a SQL Server author and columnist focusing primarily on SQL Server security.
View all my tips

Error Generating Key Null Salt Point