PHP 的 password_hash FIPS 是否兼容? [英] Is PHP's password_hash FIPS compliant?
问题描述
我相信 hash('sha256', $pw) 是 FIPS 兼容的,但我确信使用该函数可能存在攻击向量.此外,没有盐(所以我将不得不遇到该实现,我宁愿不要).password_hash/password_verify 是否符合 FIPS?
I believe hash('sha256', $pw) is FIPS compliant, but I know for certain that an attack vector is possible with using that function. Also, there is no salt (so I would have to encounter that implementation and I would rather not). Is password_hash/password_verify FIPS compliant?
推荐答案
没有.
FIPS 140-2 不认证密码散列算法.因此,
password_hash不能符合 FIPS,因为 FIPS 根本不适用于它.
FIPS 140-2 does not certify password hashing algorithms. As such,
password_hashcannot be FIPS compliant, because FIPS simply doesn't apply to it.
据我所知,hash()(PHP 核心的一部分)使用的哈希实现尚未经过 FIPS 认证.如果您特别需要符合 FIPS 的实现,并且安装了符合 FIPS 的 OpenSSL 库,则可以使用 openssl_digest() 作为替代方案.(但是,请记住,即使使用盐,这也不是一种安全的密码存储方法!)
To the best of my knowledge, the hash implementations used by hash() (which are part of the PHP core) have not been FIPS certified. If you specifically need a FIPS-compliant implementation, and you have a FIPS-compliant OpenSSL library installed, you may be able to use openssl_digest() as an alternative. (However, remember that this is not a secure method of storing passwords, even with a salt!)
这篇关于PHP 的 password_hash FIPS 是否兼容?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
