生成用户唯一的 hmac 密钥以进行密码散列

发布于 2024-11-25 03:23:13 字数 534 浏览 3 评论 0原文

对于我网站的密码哈希，我编写了以下函数：

public function hash($user) {
    $user_key = hash_hmac('sha512', $user['id'].$user['email'], $this->site_key);
    $password = hash_hmac('sha512', $user['password'], $user_key);
}

我生成用户唯一密钥以用于最终密码哈希。因为这个密钥是用 sha512 散列的，所以根据我在维基百科上读到的内容，它应该提供足够的安全性：

HMAC 的加密强度取决于底层哈希函数的加密强度、其哈希输出长度（以位为单位）的大小以及加密密钥的大小和质量。

如果以前对密码进行哈希处理，我还没有见过这种方式，想知道它是否足够好？

额外：我没有使用盐，因为我认为 hmac 将提供的密钥附加到数据中（就像盐一样），这是对的吗？

原文

For my website's password hashing I wrote the following function:

public function hash($user) {
    $user_key = hash_hmac('sha512', $user['id'].$user['email'], $this->site_key);
    $password = hash_hmac('sha512', $user['password'], $user_key);
}

I generate user unique keys to use for the final password hashing. Because this key is hashed with sha512 it should give enough security based on what I read on wikipedia:

The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output length in bits and on the size and quality of the cryptographic key.

I have not seen this way if hashing passwords before and was wondering if it is good enough?

Extra: I have not used a salt because I think hmac appends the provided key to the data (like a salt), is this right?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

溺ぐ爱和你が 2024-12-02 03:23:14

好的，首先也是最重要的。不要编写自己的函数来进行密码哈希处理。我不是怀疑你的技能，但为了安全起见，不要做你自己的哈希系统。你的密钥 HMAC 没问题，但我仍然不会使用它。

最后，我建议您对用户密码执行此操作。

<?PHP

$password=$user['password'];
$username=$user['username'];
 
$salt='usesomesillystringforsalt';
$hashed_password=crypt($password.$username,'$2a$04$usesomesillstringforsalt
该算法使用基于 Blowfish 的 Bcrypt，它是一种非常强大的算法，也是 Gawker 媒体在被黑客攻击后所采用的算法，因为密码散列的稳健性和实用性。 crypt ^{PHP 手册}
接下来，请记住将 usesomesillystringforsalt 部分更改为其他内容。它需要是22位base64盐AZ、az、0-9、/和“。”
转到该链接以了解有关算法本身的更多信息。我建议您只使用此实现，因为它比您建议的实现要强大得多。
如果您想更进一步，我建议您为每个用户使用独特的盐。如果您想这样做，我可以编写一个示例函数，它将向您展示如何做到这一点。
如前所述，如果您还有其他问题，请随时提问。
);

?>

该算法使用基于 Blowfish 的 Bcrypt，它是一种非常强大的算法，也是 Gawker 媒体在被黑客攻击后所采用的算法，因为密码散列的稳健性和实用性。 crypt ^{PHP 手册}

接下来，请记住将 usesomesillystringforsalt 部分更改为其他内容。它需要是22位base64盐AZ、az、0-9、/和“。”

转到该链接以了解有关算法本身的更多信息。我建议您只使用此实现，因为它比您建议的实现要强大得多。

如果您想更进一步，我建议您为每个用户使用独特的盐。如果您想这样做，我可以编写一个示例函数，它将向您展示如何做到这一点。

如前所述，如果您还有其他问题，请随时提问。

OK, first and foremost. Do not write up your own function to do password hashing. I'm not doubting your skills, but to be safe do not do your own hashing system. And an HMAC your key is OK, but I'd still not use it.

Finally I'd suggest that you do this for your users passwords.

<?PHP

$password=$user['password'];
$username=$user['username'];
 
$salt='usesomesillystringforsalt';
$hashed_password=crypt($password.$username,'$2a$04$usesomesillstringforsalt
This algorithm uses Bcrypt which is based upon Blowfish it is a very robust algorithm and is what Gawker media went to after they were hacked due to the robustness and usefulness for password hashing. crypt ^{PHP Manual}
Next up, remember to change the part that says usesomesillystringforsalt to something else. It needs to be 22 digits of base64 salt A-Z,a-z,0-9,/ and "."
Go to that link to find out more about the algorithm itself. I suggest that you just use this implementation as it is much much stronger than the one that you were suggesting.
If you want to go a step forward, I'd suggest that you use a unique salt for every user. If you want to do that, I can write up an example function which will show you how to do that.
As stated, if you have any more questions feel free to ask.
);

?>

This algorithm uses Bcrypt which is based upon Blowfish it is a very robust algorithm and is what Gawker media went to after they were hacked due to the robustness and usefulness for password hashing. crypt ^{PHP Manual}

Next up, remember to change the part that says usesomesillystringforsalt to something else. It needs to be 22 digits of base64 salt A-Z,a-z,0-9,/ and "."

Go to that link to find out more about the algorithm itself. I suggest that you just use this implementation as it is much much stronger than the one that you were suggesting.

If you want to go a step forward, I'd suggest that you use a unique salt for every user. If you want to do that, I can write up an example function which will show you how to do that.

As stated, if you have any more questions feel free to ask.

回复收藏 0 原文

~没有更多了~