我是否需要base64编码盐(用于哈希密码)? [英] Do I need base64 encode my salt (for hashing passwords)?
问题描述
请问这个非常奇怪的问题.我了解base64编码用于传输数据的目的(即MIME的Base64编码),但是我不知道是否需要对盐进行base64编码.
Excuse me for this very odd question. I understand the purpose of base64 encoding for transmitting data (i.e. MIME's Base64 encoding), but I don't know if I need to base64 encode my salts.
我写了一个实用程序类(实际上是一个基本抽象类):
I wrote an utility class (a base abstract class indeed):
use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
abstract class AbstractCryptPasswordEncoder extends BasePasswordEncoder
{
/**
* @return string
*/
protected abstract function getSaltPrefix();
/**
* @return string
*/
protected abstract function getSalt();
/**
* {@inheritdoc}
*/
public function encodePassword($raw, $salt = null)
{
return crypt($raw, $this->getSaltPrefix().$this->getSalt());
}
/**
* {@inheritdoc}
*/
public function isPasswordValid($encoded, $raw, $salt = null)
{
return $encoded === crypt($raw, $encoded);
}
}
一个真正的实现类是:
class Sha512CryptPasswordEncoder extends AbstractCryptPasswordEncoder
{
/**
* @var string
*/
private $rounds;
/**
* @param null|int $rounds The number of hashing loops
*/
public function __construct($rounds = null)
{
$this->rounds = $rounds;
}
/**
* {@inheritdoc}
*/
protected function getSaltPrefix()
{
return sprintf('$6$%s', $this->rounds ? "rounds={$this->rounds}$" : '');
}
/**
* {@inheritdoc}
*/
protected function getSalt()
{
return base64_encode(openssl_random_pseudo_bytes(12));
}
}
关键部分是生成盐,该盐将嵌入密码中:我假设出于任何原因(存储)都需要base64_encode
,假设它永远不会通过电线发送?
The key part is the salt generation, which will be embedded in the password: do I need base64_encode
for any reason (storing), assuming that it will be never sent over the wire?
推荐答案
每个哈希算法都希望在给定的字母中加盐,这意味着使用base64_encode()
可能是正确的选择,但通常它都不使用完整的字母或返回不在此字母表中的字符.
Each hash algorithm expects a salt in a given alphabet, that means using base64_encode()
can be the right thing, but often it does either not use the full alphabet or returns characters that are not in this alphabet.
以BCrypt为例,这是一种很好的密码哈希算法(SHA-512不合适,因为它太快了,不适合使用它),它接受base64编码的字符串中的所有字符("+"字符除外).另一方面,它接受."不属于base64编码的字符串的字符.
Take BCrypt for example, this is a good hash algorithm for passwords (SHA-512 is not appropriate because it is too fast), it accepts all characters of a base64-encoded string except the '+' character. On the other side it accepts '.' characters that are not part of a base64-encoded string.
PHP 5.5将准备好功能password_hash()
和password_verify()
,以使BCrypt的使用更加容易,我真的可以推荐它们.在旧版本的PHP上,还有一个兼容性包.在第121行中,您可以看到确实使用了base64_encode()
,但是之后所有无效的'+'字符都被替换为允许的'.'.字符:
PHP 5.5 will have the functions password_hash()
and password_verify()
ready, to make the usage of BCrypt easier, i really can recommend them. There is also a compatibility pack available for older PHP versions, on line 121 you can see that base64_encode()
is indeed used, but afterwards all invalid '+' characters are replaced with allowed '.' characters:
为BCrypt编码盐:
Encoding a salt for BCrypt:
$salt = str_replace('+', '.', base64_encode($buffer));
这篇关于我是否需要base64编码盐(用于哈希密码)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!