是否可以在其密码哈希上解密Firebase的AES加密?
Firebase Hashes用户的密码和他们称为“内部修改版本的Scrypt”。简而言之,他们首先使用标准的SCRYPT算法哈希·宣传密码,然后对哈希进行AES弹。在此主题中更详细地描述了这一点: https://github.com/firebase.com/firebase/scrypt/scrypt/问题/2
我已经能够重现Firebase的“修改版本”,并使用Node的加密模块匹配从Firebase导出的加密哈希。踢者是他们翻转密钥和数据输入,以便将密钥用作加密的消息,并将Hashed密码用作密钥。
// Encryption
let cipher = crypto.createCipheriv('aes-256-ctr', **scryptHash**, iv)
let encrypted = cipher.update(**signerKey**, 'base64', 'base64')
encrypted += cipher.final('base64')
// This matches Firebase's exported password hashes
console.log("Firebase Custom Hash: ", encrypted)
当使用Cyrpto.CreateDecipheriv解密消息时,您已经将其传递给密钥的值,但是由于原始密钥实际上是Scrypt Hash,因此我们没有此值。
重点:如果您使用加密模块或任何其他库有解密的数据,是否可以解密AES密钥?如果可能的话,它将允许我们将Firebase用户的自定义密码哈希导入支持标准SCRYPT的其他身份验证系统。
Firebase hashes user's passwords with what they call an "internally modified version of scrypt." In short, they first hash the plaintext passwords using the standard scrypt algorithm and then do rounds of AES to the hash. This is described in more detail in this thread: https://github.com/firebase/scrypt/issues/2
I've been able to reproduce Firebase's "modified version" and match the encrypted hashes exported from Firebase using Node's crypto module. The kicker is that they flip the key and data inputs so that the key is used as the message to encrypt and the hashed password is used as the key.
// Encryption
let cipher = crypto.createCipheriv('aes-256-ctr', **scryptHash**, iv)
let encrypted = cipher.update(**signerKey**, 'base64', 'base64')
encrypted += cipher.final('base64')
// This matches Firebase's exported password hashes
console.log("Firebase Custom Hash: ", encrypted)
When using cyrpto.createDecipheriv to decrypt the message, you have pass it the value of the key, but because the original key was actually the scrypt hash, we don't have this value.
The Point: Is it possible to decrypt the AES key if you have the decrypted data using the crypto module or any other library? If this is possible, it would allow us to import Firebase user's custom password hashes into other authentication systems that support standard scrypt.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论