PHP crypt 和 salt - 请更多说明
我昨天在这里得到了一些非常好的答案。我把我得到的东西放在一起,我认为这将是一个相当安全的算法。我在使用带有生成盐的 for 循环的河豚时遇到问题。
我使用 base64 字符和 for 循环来获取随机字符串。我想获取这个生成的字符串并将其作为盐插入到 crypt 函数中。
因为有关河豚的文档非常稀疏,而且 PHP 文档甚至没有真正提及它,所以我在这里有点摸不着头脑。
真正奇怪的是,如果您按照现在的方式运行此代码,它将不会失败。从 crypt 函数中删除 for 循环上方的“$2a$07$”或,它将间歇性返回一个加密字符串。我对河豚的理解是,加密字符串必须以“$2a$07$”开头并以“$”结尾,因此在 crypt 函数中串联。我真的不需要上面的开始字符串for 循环,只是想摆脱它。
我还想澄清一下存储随机盐的最佳实践,是在数据库中还是通过在数据库中存储 crypt 函数的输出?
昨天,没有真正的代码被抛出,今天我想将一些代码放在一起,并且有一些相当安全的东西,如果有人能提出更好的算法,我总是开放的。
$base64 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
$salt = '$2a$07$';
for($i=0; $i<60; $i++)
{
$salt .= $base64[rand(0,63)];
}
return crypt('password', '$2a$07$'.$salt.'$');
I was here yesterday and got some really great answers. I took what I got and put together, what I think will be a fairly secure algorithm. I'm having a problem using blowfish with a for loop that generates the salt.
I'm using base64 characters and a for loop to get a random string. I want to take this generated string and insert it into the crypt function as the salt.
Because the documentation about blowfish is so sparse and the PHP docs don't really even mention it, I'm sort of stabbing in the dark here.
The really strange thing is if you run this code the way it is now, it will not fail. Remove either the '$2a$07$' from above the for loop or from the crypt function and it will intermittently return an encrypted string. My understanding of blowfish is that the encrypted string must begin with '$2a$07$' and end in "$' hence the concatenation in the crypt function. I really don't need the beginning string above the for loop and just wanted to get rid of it.
I also would like clarification about the best practice on storing the random salt, either in the database or by storing the output of the crypt function in the database?
Yesterday, there was no real code being thrown around, just discussion. I'd like to put some code together today and have something that is fairly secure in place. If anyone can come up with a better algorithm, I'm always open.
$base64 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
$salt = '$2a$07
;
for($i=0; $i<60; $i++)
{
$salt .= $base64[rand(0,63)];
}
return crypt('password', '$2a$07
.$salt.'
);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
似乎
crypt()不喜欢盐中的+字符,以及许多其他特殊字符(*、%等)。如果你过滤掉它们,它应该在每次尝试中都能工作(并且不需要重复盐 ID 字符串)。It seems that the
crypt()dislikes+char in the salt, and a lot of other special chars as well (*,%etc). If you filter them out it should work on every try (and no need repeating the salt id string).我知道这个问题现在实际上已经是古老的历史了,但是为了任何通过搜索谷歌找到它的人的利益,在这个问题的答案中有关于 bcrypt/EksBlowfish 盐如何工作的非常详细的描述:
为什么 crypt/blowfish 使用两种不同的盐生成相同的哈希值?
简而言之,正如caf所说,它使用由
[a-zA-Z0-9./]组成的base64字母表,以$作为空(NOT 0)终止/填充字符。如果您使用该范围之外的任何字符,或者太早使用$,它将出错或无法解释整个盐。I know this question is practically ancient history now, but for the benefit of anyone who finds it by searching google, there is a pretty detailed description of how the bcrypt/EksBlowfish salts work in the answer to this question:
Why does crypt/blowfish generate the same hash with two different salts?
The short answer is, as caf said, it uses a base64 alphabet composed of
[a-zA-Z0-9./], with$as the null (NOT 0) terminating/padding character. If you use any characters outside of that range, or a$too early, it will either error out or not interpret the entirety of the salt.