PHP中的盐渍密码验证 [英] Salted Password Validation in PHP
问题描述
在crackstation.net 上声明:
On crackstation.net it is stated:
验证密码
- 从数据库中检索用户的盐和哈希.
- 在给定的密码前添加盐并使用相同的哈希函数对其进行哈希处理.
- 将给定密码的哈希值与数据库中的哈希值进行比较.如果它们匹配,则密码是正确的.否则,
密码不正确.
但是在页面底部列出的源代码中,我不能t 弄清楚 validate_password
函数如何考虑盐.我的意思是给定密码前面的盐在哪里?
However in the source code listed at the bottom of the page, I can't figure out how the validate_password
function takes into account the salt. I mean where is the salt prepended to the given password?
这是有问题的函数:
function validate_password($password, $correct_hash)
{
$params = explode(":", $correct_hash);
if(count($params) < HASH_SECTIONS)
return false;
$pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
return slow_equals(
$pbkdf2,
pbkdf2(
$params[HASH_ALGORITHM_INDEX],
$password,
$params[HASH_SALT_INDEX],
(int)$params[HASH_ITERATION_INDEX],
strlen($pbkdf2),
true
)
);
}
推荐答案
看起来 Salt、Hash 和 interation number 存储在同一个字符串中,并在函数开头分成三个字符串(在一个数组中):
Looks like the Salt, Hash and interation number are stored in the same string and are separated into three strings (in an array) at the beginning of the function:
$params = explode(":", $correct_hash);
值的顺序取决于常量 HASH_ALGORITHM_INDEX、HASH_SALT_INDEX 和 HASH_ITERATION_INDEX 的定义方式.
The order of the values depends on how the constants HASH_ALGORITHM_INDEX, HASH_SALT_INDEX and HASH_ITERATION_INDEX are defined.
这篇关于PHP中的盐渍密码验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!