A storage as a service company implements both encryption at rest as well as encryption in transit of customers’ data. The security administrator is concerned with the overall security of the encrypted customer data stored by the company servers and wants the development team to implement a solution that will strengthen the customer’s encryption key. Which of the following, if implemented, will MOST increase the time an offline password attack against the customers’ data would take?
A . key = NULL ; for (int i=0; i<5000; i++) { key = sha(key + password) }
B . password = NULL ; for (int i=0; i<10000; i++) { password = sha256(key) }
C . password = password + sha(password+salt) + aes256(password+salt)
D . key = aes128(sha256(password), password))
Answer: A
Leave a Reply