如何检查两个哈希密码是否相同?
我正在编写一个程序,在将登录详细信息发送到服务器之前,我使用 MD5 对登录详细信息进行哈希处理,但我必须将其与从数据库检索到的河豚 (jBCrypt) 哈希密码进行比较。
jBCrypt 使用:
if (BCrypt.checkpw("candidatePassword", hashedPwd)) {
// they are the same
}
问题是,我没有可供测试的候选密码。如何才能安全传输我的登录详细信息并将这些详细信息安全存储在数据库中。解决这个问题的最佳方法是什么?
我使用用户名、时间戳、随机字节和密码来创建 md5 摘要值。
谢谢, 弗拉基米尔
I'm writing a program where I use MD5 to hash login details before I send them to a server, but there I have to compare it to a blowfish (jBCrypt) hashed password retrieved from a database.
jBCrypt uses:
if (BCrypt.checkpw("candidatePassword", hashedPwd)) {
// they are the same
}
The problem is that, I don't have a candidate password to test. How can I have both secure transmission of my login details and secure storage of these details on the database. What is the best way to approach this?
I use username, timestamp, random bytes and password to create my md5 digest value.
Thanks,
Vladimir
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
仅给出两个哈希值,您不能1。哈希被设计为单向的;您无法从哈希中恢复原始数据,这就是为什么存储哈希密码被认为比存储加密密码更安全。
因此,根据哈希验证数据的唯一方法是对数据进行哈希处理并查看结果是否匹配。
1 当然,诸如can't和only之类的词的真正意思是“除非你使用暴力......”这些算法背后的理论证明它们是“相当”安全的,但人们必须始终记住理论和实践之间的区别:理论上,没有区别。
Given only the two hashes, you can't1. Hashes are designed to be one-way; you can't recover the original data from the hash, which is why storing hashed passwords is deemed more secure than storing encrypted passwords.
So the only way to validate data against a hash is to hash the data and see if the result matches.
1 Of course, words such as can't and only really mean "unless you use brute force...." The theories behind these algorithms prove that they are "reasonably" secure, but one must always remember the difference between theory and practice: in theory, there is no difference.
Adam 是对的:如果将多个值散列在一起,则无法从散列中取回它们。
听起来你真正想要的是加密:加密的消息对于拦截它的对手来说毫无意义,但可以由友好的一方在另一端提取其值。*
网络应用程序的安全性是它自己的特殊领域您可以查找有关如何执行此操作的许多资源。
建议的方法是:
从客户端创建随机字节和密码的哈希值。打包用户名、时间戳和哈希值,并将其安全地发送到服务器(使用 SSL 或加密)。
从服务器解密或以其他方式“解包”这些值,并根据数据库中的值检查散列密码和用户名。如果匹配,则允许访问,如果不匹配,则拒绝。
(这假设您使用随机字节作为哈希的“盐”。如果不是,则只需对密码进行哈希处理,而不是对随机字节进行哈希处理)。
*= 这是加密如何工作的一个非常高级的想法,并假设一切都正确完成,并且没有中间步骤受到损害,等等。
Adam is right: if you hash multiple values together, you cannot get them back from the hash.
It sounds like what you really want is encryption: an encrypted message is meaningless to an adversary who intercepts it, but can have its value(s) extracted on the other end by a friendly party.*
Security for webapps is its own special field with many resources you could look up on how to do this.
A suggested approach would be this:
From the client side, create a hash of the random bytes and password. Package the username, timestamp, and hashed value, and securely send it to the server (using SSL, or encryption).
From the server, decrypt or otherwise 'depackage' the values, and check the hashed password and the username against the values in the database. It if matches, allow access, if it doesn't, deny.
(this makes the assumption that you're using the random bytes as a 'salt' for the hash. If you aren't, just hash the password, and not the random bytes).
*= This is a very high-level idea of how encryption works, and assumes everything is done properly, and no intermediate step is compromised, etc. etc.