使用sha256 C＃进行密码加密 [英] Password encryption using sha256 C#

问题描述

你好朋友。我按照下面的例子给服务提供商生成我的密码。



以下是说明：

密码应该具有使用base64_encode加密的参数（MERCHANT-_ID，密码，TIMESTAMP）并使用sha256进行散列



以下是我的示例参数am传递：

merchantId = 1234; passkey =mykey，timestamp =20160602174717。



向提供者提交请求时，我收到错误验证失败意味着我的密码生成失败。有人请检查我的下面的加密功能是否有任何问题吗？



我试过的：



这是我的功能，用于根据上述说明生成密码：



public static string sha256_hash（string value）

{





string finalKey = string.Empty ;

byte [] encode = new byte [value.Length];

encode = Encoding.UTF8.GetBytes（value）;

finalKey = Convert.ToBase64String（encode） ;

返回finalKey;



}



加密普通密码，我的请求证明身份验证失败。有人告诉我我可能缺少什么

Hello friends.I am following the below example to generate my password to a service provider.

Below are the instructions:
The password should have parameters (MERCHANT¬_ID, passkey, TIMESTAMP) encrypted using base64_encode and hashed using sha256

Below is my sample parameters am passing:
merchantId=1234;passkey="mykey",timestamp="20160602174717".

On submitting my request to the provider,i am getting error authentication failed meaning my password generated failed.Could someone please checkout if am doing anything wrong in my below encryption function?

What I have tried:

Here is my function which am using to generate password based on the above instructions:

public static string sha256_hash(string value)
{


string finalKey = string.Empty;
byte[] encode = new byte[value.Length];
encode = Encoding.UTF8.GetBytes(value);
finalKey = Convert.ToBase64String(encode);
return finalKey;

}

On encrypting the plain password,my requests turns out authentication failed.Someone tell me what i could be missing

推荐答案

正确...有些注意事项：Base64不是加密。它是翻译，它不是同一个东西，并且不需要键值来恢复原始输入。它不是以任何方式，形状或形式存储密码的安全算法。

也不是SHA256。所有SHA算法都与哈希有关，而不是加密 - 并且有一个重要区别：加密可以反转以恢复原始输入，哈希不能。如果您对密码进行哈希（并且您应该），则无法从SHA值中检索原始密码。



并且您的代码不会加密，散列或执行任何操作远程安全相关。

我建议您查看提供商示例，因为从有限的描述中看不出他们想要的内容。我猜测应该将商家ID转换为base64，并且应该对密码进行哈希处理，但通常会应用一个salt值，以便具有相同密码的两个用户不会生成相同的哈希值。在尝试使用该服务之前，您需要更多信息。

Right...some things to note: Base64 is not encryption. It's translation, which is not the same thing, and requires no key value to restore the original input. It is not a secure algorithm for password storage in any way, shape or form.
Neither is SHA256. All SHA algorithms are concerned with Hashing, not encryption - and there is an important difference: encryption can be reversed to restore the original input, hashing cannot. If you hash a password (and you should) you cannot retrieve the original password from the SHA value.

And your code does not encrypt, hash, or do anything even remotely security related.
I'd suggest that you look at the providers examples as it's not obvious from the limited description exactly what they want. I'd guess that the Merchant ID should be converted base64, and the passkey should be hashed, but normally there is a salt value applied so that two users with the same password don't generate the same hash value. You need more information before you can try to use the service.

OriginalGriff在解决方案1中说了所有内容，我想继续并向您展示如何恢复SHA256密码的实际示例回到纯文本。尽管它们未被还原，但它们将与数据库进行比较以获取该密码的纯文本。在这种情况下，将盐添加到密码中，以便无法使用反向查找表进行攻击。



在.NET Core中使用提示隐藏密码 [ ^ ]。我正在研究.NET Core散列技术，而我发现我可以使用反向查找技术轻松破解自己的密码。阅读文章以获得更多信息。这正是你想要使用盐的地方。请记住，salt应该是随机数（让它成为十六进制数）。你永远不应该：



1.重新使用盐。

2.使用短盐。

3.从用户名等处获取盐。



如果您使用自己的库，或者要为其构建库哈希密码我的建议是使用该文章，并查看我在该文章中教授的方法。它可以帮助您构建基于预构建工具的密码哈希库。

OriginalGriff said everything in his Solution 1, I want to continue and show you a live example of how even SHA256 passwords can be reverted back to plain-text. Although they are not reverted, they are compared against a database to get the plain-text of that password. In such cases, the salt is added to the password to make it impossible to be attacked using reverse-lookup tables.

Hashing passwords in .NET Core with tips[^]. I was working on .NET Core hashing techniques while I figured out that I can easily crack my own passwords using reverse-lookup technique. Read the article to get more on that. That is exactly, where you would like to use a salt. Remember, salt should be random numbers (let that be as a hexadecimal number). You should never:

1. Re-use the salt.
2. Use a short salt.
3. Get the salt from the username etc.

If you are using your own libraries, or are going to build a library for hashing the passwords my recommendation is to use the article and see the methods that I am teaching in that article. It would help you in building a library for password hashing based on prebuilt tools.

这篇关于使用sha256 C＃进行密码加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！