bcrypt 和多次哈希有什么区别?
bcrypt 比,比方说,
def md5lots(password, salt, rounds):
if (rounds < 1)
return password
else
newpass = md5(password + salt)
return md5lots(newpass, salt, rounds-1)
我有一种感觉,鉴于它的炒作,比我更聪明的人已经弄清楚了bcrypt 比这个更好。有人可以解释一下“聪明的外行”术语的区别吗?
How is bcrypt stronger than, say,
def md5lots(password, salt, rounds):
if (rounds < 1)
return password
else
newpass = md5(password + salt)
return md5lots(newpass, salt, rounds-1)
I get the feeling, given its hype, that more intelligent people than me have figured out that bcrypt is better than this. Could someone explain the difference in 'smart layman' terms?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
主要区别 - MD5 和其他旨在验证数据的哈希函数被设计得很快,而 bcrypt() 被设计得很慢。
当您验证数据时,您需要速度,因为您希望尽可能快地验证数据。
当您试图保护凭据时,速度会对您不利。拥有密码哈希副本的攻击者将能够执行更多的暴力攻击,因为 MD5 和 SHA1 等的执行成本很低。
相比之下,bcrypt 是故意昂贵的。当真正的用户尝试进行一两次身份验证时,这并不重要,但暴力破解的成本得多。
The principal difference - MD5 and other hash functions designed to verify data have been designed to be fast, and bcrypt() has been designed to be slow.
When you are verifying data, you want the speed, because you want to verify the data as fast as possible.
When you are trying to protect credentials, the speed works against you. An attacker with a copy of a password hash will be able to execute many more brute force attacks because MD5 and SHA1, etc, are cheap to execute.
bcrypt in contrast is deliberately expensive. This matters little when there are one or two tries to authenticate by the genuine user, but is much more costly to brute-force.
bcrypt 和使用 MD5 进行多次哈希处理之间存在三个显着差异:
因此,使用 MD5 进行加盐和拉伸并不像使用 bcrypt 那样安全。这个问题可以通过选择比 MD5 更好的哈希函数来解决。
例如,如果选择 SHA-256,则输出大小将为 256 位(32 字节)。如果可以像 bcrypt 一样配置加盐和拉伸来增加迭代次数,那么两种方法之间没有区别,除了存储结果哈希所需的空间量不同。
There are three significant differences between bcrypt and hashing multiple times with MD5:
Hence, using salting-and-stretching with MD5 is not as safe as using bcrypt. This issue can be solved by selecting a better hash function than MD5.
For example, if SHA-256 is selected, the output size will be 256-bits (32-bytes). If the salting-and-stretching can be configured to increase the number of iterations like bcrypt, then there is no difference between both methods, except the amount of space required to store result hashes.
您实际上正在谈论实施 PBKDF2 或基于密码的密钥派生函数。实际上,它与 BCrypt 是一样的,优点是可以延长派生密码所需的 CPU 时间。与 BCrypt 相比,它的优点在于,通过知道您已经输入了多少次“迭代”密码,当您需要增加密码时,您可以无需重置数据库中的所有密码。 。只需让您的算法获取最终结果,就好像它是在第 n 次迭代(其中 n 是前一次迭代计数)一样,然后继续!
建议您使用适当的 PBKDF2 库,而不是创建自己的库,因为让我们面对现实,就像所有密码学一样,您知道某些东西是否安全的唯一方法是它是否已经过互联网“测试”。 (请参阅此处< /a>)
使用此方法的系统:
.NET 有一个已经实现的库。请参阅此处
Mac、Linux 和 Windows 文件加密使用此加密方法的许多迭代(10,000+)版本来保护其文件系统。
Wi-Fi 网络通常使用这种加密方法来保护
来源
感谢您提出这个问题,它迫使我研究我正在使用的方法保护我的密码。
TTD
You are effectively talking about implementing PBKDF2 or Password-Based Key Derivation Function. Effectively it is the same thing as BCrypt, the advantage being that you can lengthen the amount of CPU time it takes to derive a password. The advantage of this over something like BCrypt is that, by knowing how many 'Iterations' you have put the password through, when you need to increase it you could do it without resetting all the passwords in the database. Just have your algorithm pick up the end result as if it were at the nth iteration (where n is the previous itteration count) and keep going!
It is recomended you use a proper PBKDF2 library instead of creating your own, because lets face it, as with all cryptography, the only way you know if something is safe is if it has been 'tested' by the interwebs. (see here)
Systems that use this method:
.NET has a library already implemented. See it here
Mac, linux and windows file encryption uses many itteration (10,000+) versions of this encryption method to secure their file systems.
Wi-Fi networks are often secured using this method of encryption
Source
Thanks for asking the question, it forced me to research the method i was using for securing my passwords.
TTD
尽管这个问题已经得到解答,但我想指出 BCrypt 和散列循环之间的细微差别。我将忽略已弃用的 MD5 算法和指数成本因子,因为您可以在问题中轻松改进这一点。
您正在计算哈希值,然后使用结果来计算下一个哈希值。如果您查看 BCrypt 的实现,您会发现每次迭代都使用生成的哈希值以及原始密码(密钥)。
这就是原因,您不能采用 Bcrypt 哈希密码并继续迭代,因为那时您必须知道原始密码。我无法证明这一点,但我认为这使得 Bcrypt 比简单的哈希循环更安全。
Although this question is already answered, i would like to point out a subtle difference between BCrypt and your hashing-loop. I will ignore the deprecated MD5 algorithm and the exponential cost factor, because you could easily improve this in your question.
You are calculating a hash-value and then you use the result to calculate the next hash-value. If you look at the implementation of BCrypt, you can see, that each iteration uses the resulting hash-value, as well as the original password (key).
This is the reason, you cannot take a Bcrypt-hashed password and continue with iterating, because you would have to know the original password then. I cannot prove it, but i suppose this makes Bcrypt safer than a simple hashing-loop.
严格来说,bcrypt 实际上是对文本进行加密:
64 次。
但它使用从您的密码和一些随机生成的盐派生的密钥来完成此操作。
密码散列不是散列
“密码散列算法”(如 bcrypt)的真正优点是它们使用大量 RAM。
SHA2设计就是为了速度快。如果您是实时网络服务器,并且想要验证文件完整性,那么您需要运行速度非常快、资源使用量非常低的服务器。这是密码散列的对立面。
如果您多次执行“快速” 哈希值(例如 10,000 是PBDKF2 的常见推荐),那么你就不是真的添加任何安全性。
您需要的是一个很难在硬件中实现的哈希值。您需要的是难以在 GPU 上并行化的哈希值。
在过去的几十年里,我们了解到 RAM 是减缓密码哈希尝试的关键。定制硬件在执行原始计算方面表现出色(事实上,只有 1% 的 CPU 专用于计算 - 其余部分专用于将机器指令更快地执行;预取、乱序执行、分支预测、缓存)。阻碍定制硬件的方法是让算法必须占用大量 RAM。
密码哈希并不意味着简单地多次使用快速哈希。
但是,我们回到我的 2.5W、USB、SHA2 棒,它的速度为 330 Mhashes/秒。为了防止这种情况发生,迭代次数必须达到 8300 万次。
bcrypt 已有 21 年历史,并且仅使用 4KB。但它仍然比任何数量的 MD5、SHA-1 或 SHA2 哈希要好得多。
Strictly speaking, bcrypt actually encrypts the text:
64 times.
But it does it with a key that was derived from your password and some randomly generated salt.
Password hashing is not hashing
The real virtue of "password hashing algorithms" (like bcrypt) is that they use a lot of RAM.
SHA2 is designed to be fast. If you're a real-time web-server, and you want to validate file integrity, you want something that runs extraordinarly fast, with extraordinarliy low resource usage. That is the antithesis of password hashing.
If you perform a "fast" hash multiple times (e.g. 10,000 is a common recommendation of PBDKF2), then you're not really adding any security.
What you need is a hash that is difficult to implement in hardware. What you need is a hash that is hard to parallelize on a GPU.
Over the last few decades we've learned that RAM is the key to slowing down password hashing attempts. Custom hardware shines at performing raw computation (in fact, only 1% of your CPU is dedicated to computation - the rest is dedicated to jitting the machine instructions into something faster; pre-fetching, out-of-order-execution, branch prediction, cache). The way to styme custom hardware is to make the algorithm have to touch a lot of RAM.
Password hashing does not mean simply using a fast hash multiple times.
But then we get back to my 2.5W, USB, SHA2 stick and it's 330 Mhashes/sec. In order to defend against that, it would have to be 83M iterations.
bcrypt is 21 years old, and it only uses 4KB. But it is still ~infinitely better than any amount of MD5, SHA-1, or SHA2 hashing.