使用$ 2y版本的bcrypt-ruby验证哈希密码 [英] Using bcrypt-ruby to validate hashed passwords using version $2y

问题描述

我们处于一个束缚之中，我们需要使用Ruby针对现有的用户数据库对用户进行身份验证.用户的密码全部使用password_compat PHP库生成.所有哈希密码均以$ 2y开头.

We're in a bit of a bind where we need to use Ruby to auth users against an existing db of users. The user's passwords were all generated using password_compat PHP library. All the hashed passwords start with $2y.

我一直在使用bcrypt-ruby尝试对用户进行身份验证，但未成功.

I've been using bcrypt-ruby to try and authenticate the users and I haven't found any success.

#This user's password is "password"
irb(main):041:0> g = BCrypt::Password.new("$2y$10$jD.PlMQwFSYSdu4imy8oCOdqKFq/FDlW./x9cMxoUmcLgdvKCDNd6")
=> "$2y$10$jD.PlMQwFSYSdu4imy8oCOdqKFq/FDlW./x9cMxoUmcLgdvKCDNd6"
irb(main):042:0> g == "password"
=> false
irb(main):044:0> g.version
=> "2y"
irb(main):045:0> g.cost
=> 10
irb(main):046:0> g.salt
=> "$2y$10$jD.PlMQwFSYSdu4imy8oCO"
irb(main):047:0> g.hash
=> -219334950017117414

总体而言，我对bcrypt或加密没有很丰富的经验.bcrypt-ruby可以处理$ 2y吗?我查看了源代码，但我认为这不可能.这是底层操作系统(我正在使用OS X)的问题吗?

I'm not very experienced with bcrypt or encryption in general. Can bcrypt-ruby handle $2y? I looked through the source and I don't think it can. Is this the fault of the underlying OS (I'm using OS X)?

推荐答案

是的，bcrypt-ruby可以处理以 2y 散列的密码.您只需要将 2y 替换为 2a :

Yes, bcrypt-ruby can handle passwords hashed with 2y. You just need to replace the 2y by 2a:

irb(main):002:0> BCrypt::Password.new("$2a$10$jD.PlMQwFSYSdu4imy8oCOdqKFq/FDlW./x9cMxoUmcLgdvKCDNd6") == "password"
=> true

这是必要的，因为bcrypt-ruby似乎遵循 Solar Designer提出的第一个建议就是 2x 对符号扩展错误"的向后兼容支持:

This is necessary as bcrypt-ruby seems to follow Solar Designer’s first suggestion to introduce just 2x for a backward-compatible support for the "sign extension bug":

[…]我正在考虑保持支持另一个前缀下的散列散列-例如，"$ 2x $"(其中"x"代表签名扩展错误")，而不是通常的"$ 2a $".

[…] I am considering keeping support for the broken hashes under another prefix - say, "$2x$" (where the "x" would stand for "sign eXtension bug") instead of the usual "$2a$".

后来他建议还引入 2y 前缀以便更好地区分这三个版本:

Later he proposed to also introduce the 2y prefix for a better distinction between the three versions:

一个想法是分配又一个前缀，这意味着相同事物为2a ，但证明"通过了特定的特定测试套件(将包括8位字符).因此，我们将拥有:

One idea is to allocate yet another prefix, which will mean the same thing as 2a, but "certified" as passing a certain specific test suite (which will include 8-bit chars). So we'll have:

2a-正确性未知(可能正确，可能有错误)
2x-标志扩展错误
2y-绝对正确

2a - unknown correctness (may be correct, may be buggy)
2x - sign extension bug
2y - definitely correct

新设置/更改的密码将获得新的前缀.

Newly set/changed passwords will be getting the new prefix.

PHP支持 2a ， 2x 和 2y ，而 bcrypt-ruby仅支持 2a 和 2x .但是，如果您知道自己的实现没有符号扩展错误"，则可以将 2y 替换为 2a ，因为 2y 表示与 2a 相同.

PHP supports 2a, 2x, and 2y while bcrypt-ruby supports only 2a, and 2x. But if you know your implementation doesn’t have the "sign extension bug", you can just replace 2y by 2a, as 2y means the same thing as 2a.

这篇关于使用$ 2y版本的bcrypt-ruby验证哈希密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！