HASHBYTES

  • very good question with a complex understanding (when is necessary translate for another language)! 😀

    today, I learned anything!!!


    [font="Times New Roman"]rfr.ferrari[/font]
    DBA - SQL Server 2008
    MCITP | MCTS

    remember is live or suffer twice!
    the period you fastest growing is the most difficult period of your life!
  • Thanks for the question. Hoever, I got it wrong because I used this source:

    http://msdn.microsoft.com/en-us/library/cc837966(SQL.100).aspx

    which says:

    "It is not possible to specify the salt value in SQL Server."

    Can someone please expain why this is wrong? Or why I have interpreted it incorrectly. Thanks!

    [font="Verdana"]Please don't go. The drones need you. They look up to you.[/font]
    Connect to me on LinkedIn

  • GPO (2/8/2012)


    The SALE string? This confused me! 😛

    Yeah, I decided SALE had to be a typo for SALT. (If that isn't want happened, someone please yell... I'm still assuming.)

  • ma-516002 (2/9/2012)


    Find some thoughts about this topic here:

    http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/6002f5a4-19a0-4a11-a569-e112375d3efa/%5B/quote%5D

    I hope no-one who reads that thread gets confused and is infected by this crazy notion that Hashbytes does internal salting! As Russel Fields points out: "HASHBYTES does not, in itself, use a salt key" - but despite that clear (and accurate) statement the OP (Dboy888) remained unconvinced.

    Anyone who wants to can use the MDn or SHA1 servers available on the web to caculate some hashes, and then calculate the same hashes using hashbytes: they will find that hashbytes produces the same standard results as the things on the web - so clearly there is no salting going on in there.

    Tom

  • Blimey - a question I could answer correctly without needing to do some reading first!

  • Thomas Abraham (2/9/2012)


    Thanks for the question. Hoever, I got it wrong because I used this source:

    http://msdn.microsoft.com/en-us/library/cc837966(SQL.100).aspx

    which says:

    "It is not possible to specify the salt value in SQL Server."

    Can someone please expain why this is wrong? Or why I have interpreted it incorrectly. Thanks!

    That quote comes from a section in whch the topic is encryption and encrypted data; SQL Server encryption always uses a random salt.

    Hashbytes is a hashing function, not an encryption function - so this statement about encryption doesn't apply to it. And since many common uses of the hash functions it supports require unsalted hashes (for example hashing to reduce query cost for encrypted data - see the methods of doiong this described towards the end of that paper) it can't salt behind the scenes: if your application needs salting you can do it yourself by including the salt in the string passed to the hash function; another reason it doesn't salt behind the scenes is that it wants to conform to the various standard functions that it supports (MD2, MD4, MD5, SHA, SHA1, and soon SHA2-256 and SHA2-512).

    Tom

  • L' Eomot Inversé (2/9/2012)That quote comes from a section in whch the topic is encryption and encrypted data ...

    Thanks! It's as I suspected. I took it out of context due to haste. I appreciate you taking the time to sort me out.

    [font="Verdana"]Please don't go. The drones need you. They look up to you.[/font]
    Connect to me on LinkedIn

  • At first figured that either "you cannot add a salt", or the correct answer. Flipped a coin and well ... lost the point ... teach me not to gamble.

    In all sincerity, thanks Steve for a good question, learned something

    If everything seems to be going well, you have obviously overlooked something.

    Ron

    Please help us, help you -before posting a question please read[/url]
    Before posting a performance problem please read[/url]

  • Interesting question, and an interesting bit of reading. However

    That quote comes from a section in whch the topic is encryption and encrypted data; SQL Server encryption always uses a random salt.

    How can SQL Server use a random salt and still have reproduceable results? Am I getting some concepts confused here?

  • I'm with the folks who say that concantenating two strings is @input, not a separate "parameter". We need to be using the common definition of parameter here.

  • The question could have been worded a bit better but a good question none the less and an interesting discussion as always.

  • The SALE definitely confused me as well. I couldn't force myself to believe that it would be a typo. It goes to show we are all human. I should have went with my gut instinct and chose that answer anyway.

  • What is a SALE string? I don't understand that terminology.

  • Not too many people did. Thats why a lot of people answered the question wrong.

  • thanks for the question.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 15 posts - 16 through 30 (of 64 total)

You must be logged in to reply to this topic. Login to reply