Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Language used in SP800-63b 5.1.1.2 for choosing the salt #1994

Open
sebastien-rosset opened this issue Sep 15, 2021 · 1 comment
Open

Language used in SP800-63b 5.1.1.2 for choosing the salt #1994

sebastien-rosset opened this issue Sep 15, 2021 · 1 comment

Comments

@sebastien-rosset
Copy link

In SP800-63b 5.1.1.2 Memorized Secret Verifiers:

The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes. Both the salt value and the resulting hash SHALL be stored for each subscriber using a memorized secret authenticator.

This may be a nitpick, but using the word arbitrarily is dissatisfactory. It is not a technical term and it is not defined in the standard. Looking up the word in Merriam Webster:

based on or determined by individual preference or convenience rather than by necessity or the intrinsic nature of something.

existing or coming about seemingly at random or by chance or as a capricious and unreasonable act of will.

(and other definitions that don't help in this context)

It is incongruous to read a sentence about cryptography that indirectly refers to "individual preference", "convenience", "by chance", "capricious" and "seemingly at random".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sebastien-rosset and others