尝试了解 Ruby on Rails 中的加盐和哈希密码
我正在阅读 Michael Hartl 的书(很棒的免费资源,顺便说一句,谢谢 Michael!),我有一个关于加盐和散列密码的问题。对密码加盐的目的是防止黑客执行彩虹攻击,如果我理解正确的话,如果黑客可以猜测所使用的加密类型,那么这基本上是一种暴力攻击。为了防止这种攻击,在加密之前使用盐来随机化密码,但是盐必须与加密的密码一起存储?如果是这样,那么如果黑客可以访问数据库并检索加密的密码,那么他们就不能检索盐并继续进行彩虹攻击吗?
这是迈克尔的该过程的代码示例...
>> Time.now.utc
=> Fri Jan 29 18:11:27 UTC 2010
>> password = "secret"
=> "secret"
>> salt = secure_hash("#{Time.now.utc}--#{password}")
=> "d1a3eb8c9aab32ec19cfda810d2ab351873b5dca4e16e7f57b3c1932113314c8"
>> encrypted_password = secure_hash("#{salt}--#{password}")
=> "69a98a49b7fd103058639be84fb88c19c998c8ad3639cfc5deb458018561c847"
非常感谢!
I'm walking through Michael Hartl's book (awesome, free resource, btw, thanks Michael!) and I have a question about salting and hashing passwords. The point of salting a password is to prevent a hacker from performing a rainbow attack, which if I understand correctly is basically a brute force attack if the hacker can guess the type of encryption used. To prevent this kind of attack, a salt is used to randomize the password before it's encrypted, but that salt has to be stored along with the encrypted password? If so, then if a hacker can access the database and retrieve the encrypted password, then can't they also retrieve the salt and proceed with their rainbow attack?
Here's Michael's code example of the process...
>> Time.now.utc
=> Fri Jan 29 18:11:27 UTC 2010
>> password = "secret"
=> "secret"
>> salt = secure_hash("#{Time.now.utc}--#{password}")
=> "d1a3eb8c9aab32ec19cfda810d2ab351873b5dca4e16e7f57b3c1932113314c8"
>> encrypted_password = secure_hash("#{salt}--#{password}")
=> "69a98a49b7fd103058639be84fb88c19c998c8ad3639cfc5deb458018561c847"
Thanks so much!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不,彩虹攻击与暴力攻击不同。
您可以将彩虹表视为字符串及其哈希值的大型数据库。当有人访问您的数据库时,他们可以将密码哈希与彩虹表中的密码哈希进行比较,并轻松获取密码。
盐通过在密码中添加额外的位来防止这种情况发生。如果盐足够长,哈希值就不会出现在彩虹表中。
当使用暴力攻击时,你必须计算哈希值,而使用彩虹攻击时,你已经有了哈希值。
所以,是的,当有人访问您的数据库时,他们也可以获得您的盐。但如果每条记录都是唯一的,那并不重要。
No, a rainbow attack is not the same as a brute-force attack.
You can think of a rainbow table as a big database of strings and their hashes. When someone gets access to your database, they can compare the passwordhash to the ones in the rainbow table and get the password easily.
A salt prevents this by adding extra bits to the password. If the salt is long enough, the hash won't be in the rainbow table.
When using a brute-force attack, you have to calculate the hashes, while with rainbow attacks, you have the hashes already.
So yes, when someone gets access to your database, they can also get your salt. But that doesn't matter if it's a unique one per record.