Salt Modification & Pseudo-Randomness

TL;DR

Modifying a salt after it’s been used to generate pseudo-random numbers will break the security of that randomness. The salt is crucial for initialising the random number generator, and any change invalidates previous outputs. You need a new salt and re-generate all affected values.

Understanding Salts & Pseudo-Randomness

Salts are random values added to passwords (or other data) before hashing them. In pseudo-random number generation, the ‘salt’ is actually a seed value. This seed starts the process of creating a sequence of numbers that appear random but are determined by an algorithm.

Why Modification Breaks Randomness

1. Initialisation: The salt (seed) tells the pseudo-random number generator where to start in its sequence.
2. Deterministic Nature: Pseudo-random generators aren’t truly random; they are algorithms. Given the same seed, they will always produce the same sequence of numbers.
3. Impact of Change: If you change the salt after generating numbers, you’ve effectively changed the starting point. The previous sequence is no longer valid or predictable from the new state.

Step-by-Step Solution

If your salt has been modified, follow these steps:

1. Identify Affected Data: Determine all data that was generated using the original (now modified) salt. This is often the hardest part!
2. Generate a New Salt: Create a new, truly random salt value. The length and source of randomness are important – use a cryptographically secure random number generator.

   import secrets
   salt = secrets.token_hex(16) # Generates a 32-character hex string

3. Re-generate All Data: Re-create all the data that used the original salt, using the new salt instead. This is essential for maintaining security.
4. Update Storage (if applicable): If you stored any information related to the pseudo-random numbers (e.g., indices in a sequence), update it to reflect the re-generation with the new salt.
5. Discard Old Data: Securely delete all data generated using the original, modified salt. Do not keep it!

Example Scenario

Let’s say you used a salt to generate session IDs for users. If that salt is compromised or changed after some IDs are created:

1. All existing session IDs are potentially predictable.
2. You must invalidate all old session IDs and issue new ones generated with the new salt.

Important Considerations

• Cryptographically Secure Randomness: Always use a cryptographically secure random number generator (like Python’s secrets module or similar in other languages) to create your salts. Avoid predictable sources of randomness like timestamps or counters.
• Salt Length: Use sufficiently long salts (at least 16 bytes/128 bits is recommended).
• Regular Rotation: Consider rotating your salts periodically as a security best practice, even if they haven’t been compromised. This limits the impact of potential future compromises.

cyber security Implications

Compromising or modifying a salt used in pseudo-random number generation can lead to serious cyber security vulnerabilities, including:

• Predictable Session IDs: Allowing attackers to hijack user sessions.
• Weak Nonces: Making cryptographic operations vulnerable to attacks.
• Data Integrity Issues: If the pseudo-random numbers were used for data validation or encryption keys.