分享程序员开发的那些事...
更新时间:2023-01-14 10:44:09
使用基本安全措施存储密码的过程相当简单:
The process for storing passwords with a basic measure of security is fairly simple:
如果他们输入了正确的密码,散列的密码将匹配.散列可以保护用户免受攻击,也可以防止管理员走过带有 members 表的屏幕.
If they entered the correct password, the hashed PWs will match. Hashing protects the users from attacks as well as the janitor walking by a screen with the members table on display.
' salt size is 32 (0-31
Private Const SaltSize As Integer = 31
...
Dim dbPW As String = TextBox1.Text
Dim dbSalt = CreateNewSalt(SaltSize)
' eg: "dsEGWpJpwfAOvdRZyUo9rA=="
Dim SaltedPWHash As String = GetSaltedHash(dbPW, dbSalt)
' examples:
' using SHA256: bbKN8wYYgoZmNaG3IsQ2DPS2ZPIOnenl6i5NwUmrGmo=
' using SHA512:
' 0vqZWBIbOlyzL25l9iWk51CxxJTiEM6QUZEH1ph+/aNp+lk4Yf8NYv8RLhYtbqCNpOqO3y8BmM+0YWtbAhE+RA=="
将 PW 哈希和盐作为用户记录的一部分存储.盐不是秘密,而是在用户更改密码时/如果用户更改密码.
Store the PW hash and the salt as part of the user's record. The salt is not secret, but change it when/if the user changes their password.
' check if PW entered equals DB
Dim pwTry = TextBox2.Text
' hash the login attempt using the salt stored in the DB
Dim pwLogin = GetSaltedHash(pwTry, dbSalt)
' compare the hash of what they entered to whats in the DB:
If String.Compare(SaltedPWHash, pwLogin, False) = 0 Then
' okay!
Console.Beep()
End If
如果用户输入相同的密码,应该得到相同的哈希值,就这么简单.散列代码并不那么复杂:
If the user enters the same PW, it should result in the same hash, it is as simple as that. The hashing code is not all that complicated:
Private Function GetSaltedHash(pw As String, salt As String) As String
Dim tmp As String = pw & salt
' or SHA512Managed
Using hash As HashAlgorithm = New SHA256Managed()
' convert pw+salt to bytes:
Dim saltyPW = Encoding.UTF8.GetBytes(tmp)
' hash the pw+salt bytes:
Dim hBytes = hash.ComputeHash(saltyPW)
' return a B64 string so it can be saved as text
Return Convert.ToBase64String(hBytes)
End Using
End Function
Private Function CreateNewSalt(size As Integer) As String
' use the crypto random number generator to create
' a new random salt
Using rng As New RNGCryptoServiceProvider
' dont allow very small salt
Dim data(If(size < 7, 7, size)) As Byte
' fill the array
rng.GetBytes(data)
' convert to B64 for saving as text
Return Convert.ToBase64String(data)
End Using
End Function
System.Guid.NewGuid.ToString) 之类的东西作为盐很诱人,但使用加密随机数生成器并不难.Shared/static 类成员的理想选择.
System.Guid.NewGuid.ToString) as the salt, but it just isn't all that hard to use the cryptographic random number generator.Shared / static class members.另请注意,Kenneth 链接的文章非常值得一读.
Note also, the article linked to by Kenneth is well worth reading.
注意文章提到盐应该存储在散列旁边的用户帐户表 这并不意味着您必须在数据库中有一个 Salt 列.您可以在链接的文章中看到以下内容:
Note that the article mentions The salt should be stored in the user account table alongside the hash This doesn't mean you must have a Salt column in the DB. You can see the following being done in the linked article:
Dim dbPW As String = TextBox1.Text
Dim dbSalt = CreateNewSalt(SaltSize)
' get the salted PW hash
Dim SaltedPWHash As String = GetSaltedHash(dbPW, dbSalt)
' store salt with the hash:
SaltedPWHash = String.Format("{0}:{1}", dbSalt, dbPW)
' salt + ":" + hashed PW now ready to store in the db
从散列密码中分离盐:
Dim SaltAndPWHash = rdr.Item("PWHash").ToString()
Dim split = SaltAndPWHash.Split(":"c) ' split on ":"
Dim Salt = split(0) ' element(0) == salt
Dim StoredPWHash = split(1) ' element(1) == hashed PW
您需要两个部分:在您对 PW 中尝试的日志进行哈希处理后,将其与 split(1) 进行比较.
You need both parts: after you hash the attempted log in PW, compare it to split(1).