我真的应该经常与 bcrypt 发生冲突吗?
当对两个随机字符串进行哈希处理时,我平均在 100,000 次碰撞中得到 2 次碰撞。 这是预期的吗?
所有这些字符串都会产生相同的散列(使用任何盐和任何工作因子):
base64_decode('/g=');
base64_decode('/gB/==');
base64_decode('/gBQyVY/0dzg');
base64_decode('/gBQyoK71jVY/JZP0dzg=');
base64_decode('/gBQyoK71jVY/J2ea4q9mAZP0dzg==');
base64_decode('/gBQyoK71jVY/J7QuBNJuFdxyf2eTBCs42chkx6ZvpJYszpUcJk8/HXa4q9mAZP0dzg=');
这些只是示例,尝试从中心添加和删除字符,您会得到更多匹配项。 这是用于查找它们的 php 代码:
set_time_limit(60*10);
$salt = '$2a$04$usesomesillystringforsalt$';
for($i=0; $i < 100000; $i++){
$one = openssl_random_pseudo_bytes(rand(1,111));
$two = openssl_random_pseudo_bytes(rand(1,111));
if(crypt($one, $salt)==crypt($two, $salt)){
echo base64_encode($one).'|'.base64_encode($two)."\n";
}
}
When hashing two random strings, I get on average 2 collisions out of 100,000.
Is this expected?
All of these strings produce the same hash (using any salt and any work factor):
base64_decode('/g=');
base64_decode('/gB/==');
base64_decode('/gBQyVY/0dzg');
base64_decode('/gBQyoK71jVY/JZP0dzg=');
base64_decode('/gBQyoK71jVY/J2ea4q9mAZP0dzg==');
base64_decode('/gBQyoK71jVY/J7QuBNJuFdxyf2eTBCs42chkx6ZvpJYszpUcJk8/HXa4q9mAZP0dzg=');
And these are just examples, try adding and removing characters from the center, you get many more matches.
Here is the php code used to find them:
set_time_limit(60*10);
$salt = '$2a$04$usesomesillystringforsalt
;
for($i=0; $i < 100000; $i++){
$one = openssl_random_pseudo_bytes(rand(1,111));
$two = openssl_random_pseudo_bytes(rand(1,111));
if(crypt($one, $salt)==crypt($two, $salt)){
echo base64_encode($one).'|'.base64_encode($two)."\n";
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
没关系,PHP 不能很好地处理具有空字节的字符串。
PHP crypt 函数不是二进制安全的。
Nevermind, PHP doesn't play well with strings having a null byte.
The PHP crypt function is not binary safe.