PHP中的盐渍密码验证 [英] Salted Password Validation in PHP

问题描述

在crackstation.net 上声明:

On crackstation.net it is stated:

验证密码

• 从数据库中检索用户的盐和哈希.
• 在给定的密码前添加盐并使用相同的哈希函数对其进行哈希处理.
• 将给定密码的哈希值与数据库中的哈希值进行比较.如果它们匹配，则密码是正确的.否则，
  密码不正确.

但是在页面底部列出的源代码中，我不能t 弄清楚 validate_password 函数如何考虑盐.我的意思是给定密码前面的盐在哪里?

However in the source code listed at the bottom of the page, I can't figure out how the validate_password function takes into account the salt. I mean where is the salt prepended to the given password?

这是有问题的函数:

function validate_password($password, $correct_hash)
{
    $params = explode(":", $correct_hash);
    if(count($params) < HASH_SECTIONS)
       return false;
    $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
    return slow_equals(
        $pbkdf2,
        pbkdf2(
            $params[HASH_ALGORITHM_INDEX],
            $password,
            $params[HASH_SALT_INDEX],
            (int)$params[HASH_ITERATION_INDEX],
            strlen($pbkdf2),
            true
        )
    );
}

推荐答案

看起来 Salt、Hash 和 interation number 存储在同一个字符串中，并在函数开头分成三个字符串(在一个数组中):

Looks like the Salt, Hash and interation number are stored in the same string and are separated into three strings (in an array) at the beginning of the function:

$params = explode(":", $correct_hash);

值的顺序取决于常量 HASH_ALGORITHM_INDEX、HASH_SALT_INDEX 和 HASH_ITERATION_INDEX 的定义方式.

The order of the values depends on how the constants HASH_ALGORITHM_INDEX, HASH_SALT_INDEX and HASH_ITERATION_INDEX are defined.

这篇关于PHP中的盐渍密码验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！