May 11, 2021

What is the simplest way to explain the behavior and the mathematics around rainbow tables?

Home Forums What is the simplest way to explain the behavior and the mathematics around rainbow tables?

This topic contains 1 reply, has 2 voices, and was last updated by  EvadableMoxie 1 month ago.

  • Author
  • #382047


    Docs and references are welcome

  • #382048


    An ELI5 version: Imagine you have a student who wants to be able to answer simple multiplication question by their teacher as quickly as possible. So they take a big piece of graphing paper and put 1 through 10 in the rows and 1 through 10 in the columns. Then in each box the write the result of the row multiplied by the column. It takes a lot of time but eventually the student calculates out every possibility and completes the chart.

    Now the next day in class the teach asks “What’s 7 x 4?” and the student doesn’t actually have to do any math now. They just look at the box for 7 x 4 and immediately provide the answer. This way they can answer the teacher’s questions really, really fast. The downside is that they need to keep the table on them at all times.

    This is kind of how rainbow tables work, although it would be more accurate to say the teacher says “28” and then the student looks at each box until he finds 28 and then answers “7 x 4”.

  • #382049


    it’s trading computation work for storage space

  • #382050


    The level of math in rainbow tables is sufficiently low enough that most people don’t consider it math.

  • #382051

  • #382052


    Are rainbow tables even relevant today?

    Sure, if you’re just encrypting the password, in the database, and the attack knows the password algorithm… So, I guess this is for an Internal attack?

    But, the next step is to just save the Hash of the password, hashes are typically longer, if you are using SHA256+. And again the attacker needs to know the hash algorithm used.

    And third, today, there’s a SALT value added to the password, so that there are no weak passwords, and you store the salt and the hash. Making rainbow attacks impossible, because of long hashes, and passwords that aren’t words, the salt is random.

    Also, you need to be able to hit the front door of a site a huge number of times. And that’s not allowed today.

    ( I think. )

  • #382053


    It’s precomputed brute force algorithm enumerates every possibility a user might store their password as. A lot of computation is done up front for faster results later

You must be logged in to reply to this topic.