为什么Ruby的bcrypt库在哈希表中包含纯文本格式的盐? [英] Why does Ruby's bcrypt lib include the salt in plaintext in the hash?
问题描述
我正在使用Coda Hale的 Ruby bcrypt库.我最近注意到它没有像我认为的那样起作用.我以为正确的程序是:
I am using Coda Hale's Ruby bcrypt library. I noticed recently that it wasn't working like I thought it worked. I had thought that the proper procedure is:
- 产生盐
- 获取密码
- 连接盐和密码字符串
- 通过您的哈希函数将其哈希
但是,当我查看bcrypt函数的结果时,似乎是salt连接到了 hash 而不是 password .那就是盐串联发生在步骤4之后,而不是之前.我以为Coda Hale会做到这一点,但是我想知道为什么它会像这样.
But when I look at the results of the bcrypt function it appears that the salt is concatenated to the hash not the password. That is the salt concatenation happens after step #4, not before. I'm assuming Coda Hale is doing this right, but I am wondering why it behaves like this.
这是IRB的简短会议,向我展示什么很奇怪.请注意,在hash_secret函数的结果中,前29个字符与
Here's a brief IRB session to show what's weird (to me). Notice that in the results of the hash_secret function, the first 29 chars are the same as the salt. Any information as to why this is the case would be appreciated.
我唯一的理论是,盐要放在以及嵌入哈希中,这样就不需要将盐存储在单独的DB字段中(本质上是记录打包策略)?
My only theory is that the salt is prepended as well as embedded in the hash, which eliminates the need to store the salt in a separate DB field (essentially a record packing strategy)?
irb#1(main):004:0> password_salt = BCrypt::Engine.generate_salt
=> "$2a$10$OrKdcWORLL8Gorhy9XR3UO"
irb#1(main):005:0> password='abc'
=> "abc"
irb#1(main):006:0> BCrypt::Engine.hash_secret(password, password_salt)
=> "$2a$10$OrKdcWORLL8Gorhy9XR3UOY8Sebzq92m7r02XPitzoazPdO7tmsEO"
irb#1(main):007:0>
推荐答案
没有这种技术上的原因.如果需要,可以分别存储盐和密码.哎呀,如果您愿意的话,您可以将盐公开.我听说有人会使用用户ID作为盐,以便在他们的数据库中保存一些存储空间.
There is no technical reason why this is the case. If you wanted to, you could store the salt and password separately. Heck, you could make the salt public if you wanted to. I've heard some people will use the user-id as the salt to save a few bits of storage in their database.
将散列和盐存储在同一数据库的不同字段中不会带来安全性的提高.真正重要的是每种盐都是唯一的,以阻止彩虹桌子.
There would be no security gain by storing hashes and salts in different fields in the same database. All that really matters is that each salt is unique in order to thwart rainbow tables.
我想象创建者决定合并这两个字符串只是为了将salt和hash放在数据库或应用程序的单个字段中.有时这可能很有用,例如在不支持多值返回的语言中.
I imagine that the creator decided to concat the two strings simply to keep the salt and hash together in a single field in the database or application. Sometimes this can be useful, for example in languages that don't support multi-value returns.
这篇关于为什么Ruby的bcrypt库在哈希表中包含纯文本格式的盐?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
