In nature the mineral called salt is a preservative. Prior to the age of refrigeration, mankind utilized this valuable resource to slow the decomposition process and increase the opportunity to consume the preserved food. This valuable mineral is also used to enhance the flavor of food. What is a potato chip without salt? When it comes to data security the use of salt is slightly different in execution; although very similar in concept.
The use of mono-directional encryption methods, such as HashBytes, to secure data is a valuable alternative to bi-directional encryption methods that require key management. The use of the HashBytes method in SQL Server right out of the box does have its vulnerabilities. One such vulnerability is the potential for a dictionary attack. A dictionary attack is one in which a list of common words are hashed and then compared to the cipher text. Once there is a match, the secret has been released.
To protect hashed values from dictionary attacks the use of a "salt" is invaluable. In layman's terms a salt is simply appending the plain text with a constant value prior to hashing it. Here is an example:
The plain text value of "My Sensitive Data" when hashed with the SHA1 algorithm returns the value of:
0xA2D1EF295735857B9D7D674E1FE84B14B21EFA55
The plain text value of "My Sensitive Data" is prefixed with the value of "Hn45Zz&" and then hashed with the SHA1 algorithm returns the value of:
0x5D0C2127955BC510384D4DC1EAB4A60F284F98CC
As you can see, the hash value is very different than not using a salt. When the hashed value becomes subject to a dictionary attack it will become much more difficult to crack.
If all hashed values in your database or table are salted with the same constant value then you have increased your security to only one level. To "kick it up another notch", consider salting your values with the primary key of the row in which the sensitive data is stored. The benefit of this practice is that while you may have a hundred rows containing the same plain text values their salted hash values will be unique. This results in a much greater effort and cost to the hacker who is attempting to disclose the protected data.
A vulnerability of any hashing effort is that a phenomena called a "hash collision" might occur. A hash collision occurs when two unique plain text values produce an identical hash value. There is no such thing as total elimination of hash collision possibilities; rather, the effort is to decrease the probability of their occurrence to such a degree that it is a near improbability. Salting the hash values is one method in which the probability is reduced.
The utilization of HashBytes and other hashing methods are certainly a way to obtain a level of security for sensitive data. Their use should not be ignored simply due to their inherent vulnerabilities. All security measures have vulnerabilities. The key is to understand these vulnerabilities and apply additional layers of complexity so that their functionality is strengthened.