bcrypt生成的Rails密码是否可移植? [英] Are Rails passwords generated with bcrypt portable?
问题描述
我有一个现有的Web应用程序,其中有数千名用户,我正将它们移植到Rails.在我重写和重构该应用程序时,出于开发,测试和生产目的,可能需要在任意数量的不同服务器上运行它.
I have an existing web application with a few thousand users which I'm porting over to Rails. As I rewrite and refactor this app I may need to run it on any number of different servers for development, testing, and production purposes.
我在用户模型中使用Rails的内置has_secure_password方法,但我担心密码数据的可移植性.我需要将数据库的内容从一台机器移到另一台机器,以在不同的环境中进行测试,这一点非常重要,因为我可以在每个环境中使用相同的用户名和密码来测试用户身份验证功能.
I'm using Rails' built-in has_secure_password method in my user model but I'm concerned about the portability of password data. I will need to move the contents of my database from machine to machine to test in different environments and its very important that I can test the user authentication functionality using the same set of users and passwords in each environment.
到目前为止,它很容易找到有关bcrypt-ruby与Rails has_secure_password一起工作的答案,但是经过数周的搜索,我仍然没有找到明确的答案.
So far its easy to find answers about how bcrypt-ruby works along with Rails has_secure_password but after weeks of searching I haven't found a clear answer.
如果has_secure_password导致串联了WorkFactor + Salt + HashedPassword并将其保存到password_digest数据库列,则如果将其移动到任何其他计算机上(假设任何其他计算机正在运行),可以可靠地重新生成并比较该哈希值像Unix操作系统上的Rails)?
If has_secure_password results in a WorkFactor + Salt + HashedPassword concatenated and saved to the password_digest database column then can that hash be regenerated and compared reliably if moved to any other machine (assuming any other machine is running Rails on a Unix-like OS)?
OR 换句话说,Rails的has_secure_password可移植的bcrypt-ruby密码是可移植的吗?
OR To put it another way - are bcrypt-ruby passwords generated with Rails' has_secure_password portable?
跟进问题:如果盐总是随机生成的(我见过相同的密码使用不同的哈希值,所以我认为盐不是由密码本身的文本创建的)那么,Rails应用程序将如何能够可靠地在提交的登录表单中重新散列密码,并将其与数据库中的密码进行比较.显然,它必须先知道盐是什么才能进行比较.它是怎么做到的?
Follow up question: If the salt is always generated randomly (I've seen the same password use different hashes so I don't think the salt is created from the text of the password itself) then how would a Rails app be able to reliably rehash the password on a login form submit and compare it to what's in the database. Obviously it would have to know what the salt is first in order to compare it. How does it do that?
推荐答案
是的,密码是可移植的.使用的格式是标准的加密编码"格式,也用作RFC 2307的一部分(在RFC 2307中,字符串的前缀为"{CRYPT}").我使用了Perl库Authen::Passphrase,该库可以根据RoR数据库中经过bcrypt加密的版本愉快地对密码进行身份验证.
Yes the passwords are portable. The format used is a standard "crypt encoding" format, also used as part of RFC 2307 (in RFC 2307, the string would be prefixed "{CRYPT}"). I have worked with a Perl library Authen::Passphrase that would happily authenticate passwords against the bcrypt-hashed versions from an RoR database.
对于后续问题:盐嵌入到存储的值中(以及散列的类型,要使用的bcrypt循环数,当然还有散列本身),以及验证服务器需要读取存储的值,然后简单地重新使用相同的盐来生成哈希部分-如果输入密码正确,则哈希将是相同的.身份验证过程不会创建新的随机盐.仅当生成用于存储的全新哈希时,才会创建随机盐.
For the follow-up question: The salt is embedded in the stored value (along with the type of hashing, the number of bcrypt cycles to use and of course the hash itself), and to authenticate the server needs to read the stored value, then it simply re-uses the same salt to generate the hash part - if the input password is correct, then the hash will be identical. The authentication process does not create a new random salt. A random salt is only created when generating a brand new hash for storing.
bcrypt密码很容易拆分为服务器读取的组件(我选择了非真实的字符以使其更易于查看边界,实际上salt和hash是base 64编码的二进制数据):
The bcrypt password is easily split into components for a server to read (I have chosen non-realistic characters to make it easier to see boundaries, in fact salt and hash are base 64 encoded binary data):
$2a$10$AaBbCcDdEeFfGgHhIiJjKk0987654321098765432109876543210
-
这部分意思是使用bcrypt,2 ** 10 == 1024次迭代":
$2a$10$这部分是盐:
AaBbCcDdEeFfGgHhIiJjKk,始终为22个字符This part is the salt:
AaBbCcDdEeFfGgHhIiJjKk, always 22 characters这是哈希:
0987654321098765432109876543210,始终为31个字符This part is the hash:
0987654321098765432109876543210, always 31 characters这篇关于bcrypt生成的Rails密码是否可移植?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
