是“双重散列"吗?密码比散列一次更不安全? [英] Is "double hashing" a password less secure than just hashing it once?
问题描述
在存储之前将密码散列两次是否比仅散列一次更安全或更不安全?
Is hashing a password twice before storage any more or less secure than just hashing it once?
我说的是这样做:
$hashed_password = hash(hash($plaintext_password));
而不仅仅是这个:
$hashed_password = hash($plaintext_password);
如果它不太安全,你能提供一个很好的解释(或一个链接)吗?
If it is less secure, can you provide a good explanation (or a link to one)?
另外,使用的哈希函数有什么不同吗?如果您混合使用 md5 和 sha1(例如)而不是重复相同的哈希函数,这有什么区别吗?
Also, does the hash function used make a difference? Does it make any difference if you mix md5 and sha1 (for example) instead of repeating the same hash function?
注意 1:当我说双重散列"时,我指的是对密码进行两次散列以试图使其更加模糊.我不是在谈论解决冲突的技术.
Note 1: When I say "double hashing" I'm talking about hashing a password twice in an attempt to make it more obscured. I'm not talking about the technique for resolving collisions.
注意 2:我知道我需要添加随机盐才能真正使其安全.问题是使用相同的算法进行两次散列是有助于还是损害散列.
推荐答案
密码散列一次是不安全的
不,多个散列的安全性并没有降低;它们是安全密码使用的重要组成部分.
Hashing a password once is insecure
No, multiple hashes are not less secure; they are an essential part of secure password use.
迭代哈希会增加攻击者尝试候选列表中的每个密码所需的时间.您可以轻松地将攻击密码所需的时间从数小时增加到数年.
Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from hours to years.
仅仅将哈希输出链接到输入不足以保证安全.迭代应该在保留密码熵的算法的上下文中进行.幸运的是,有几种已发布的算法经过了足够的审查,可以让人们对其设计充满信心.
Merely chaining hash output to input isn't sufficient for security. The iteration should take place in the context of an algorithm that preserves the entropy of the password. Luckily, there are several published algorithms that have had enough scrutiny to give confidence in their design.
像 PBKDF2 这样的优秀密钥派生算法将密码注入每一轮散列,从而减轻对散列输出冲突的担忧.PBKDF2 可按原样用于密码验证.Bcrypt 遵循带有加密步骤的密钥推导;这样一来,如果发现了一种快速逆转密钥派生的方法,攻击者仍然需要完成已知明文攻击.
A good key derivation algorithm like PBKDF2 injects the password into each round of hashing, mitigating concerns about collisions in hash output. PBKDF2 can be used for password authentication as-is. Bcrypt follows the key derivation with an encryption step; that way, if a fast way to reverse the key derivation is discovered, an attacker still has to complete a known-plaintext attack.
存储的密码需要防止离线攻击.如果密码没有加盐,则可以通过预先计算的字典攻击(例如,使用彩虹表)来破解它们.否则,攻击者必须花时间计算每个密码的哈希值,并查看它是否与存储的哈希值匹配.
Stored passwords need protection from an offline attack. If passwords aren't salted, they can be broken with a pre-computed dictionary attack (for example, using a Rainbow Table). Otherwise, the attacker must spend time to compute a hash for each password and see if it matches the stored hash.
所有密码的可能性不同.攻击者可能会彻底搜索所有短密码,但他们知道,每增加一个字符,他们暴力破解成功的机会就会急剧下降.相反,他们使用最可能的密码的有序列表.它们以password123"开头,然后逐渐变成不太常用的密码.
All passwords are not equally likely. Attackers might exhaustively search all short passwords, but they know that their chances for brute-force success drop sharply with each additional character. Instead, they use an ordered list of the most likely passwords. They start with "password123" and progress to less frequently used passwords.
假设攻击者名单很长,有 100 亿候选人;还假设桌面系统每秒可以计算 100 万个哈希值.如果只使用一次迭代,攻击者可以在不到三个小时的时间内测试她的整个列表.但是如果只使用 2000 次迭代,那么这个时间会延长到近 8 个月.例如,要打败更老练的攻击者——例如,一个能够下载可以利用其 GPU 功能的程序的攻击者——你需要更多的迭代.
Let's say an attackers list is long, with 10 billion candidates; suppose also that a desktop system can compute 1 million hashes per second. The attacker can test her whole list is less than three hours if only one iteration is used. But if just 2000 iterations are used, that time extends to almost 8 months. To defeat a more sophisticated attacker—one capable of downloading a program that can tap the power of their GPU, for example—you need more iterations.
要使用的迭代次数是安全性和用户体验之间的权衡.攻击者可以使用的专用硬件很便宜,但它仍然可以每秒执行数亿次迭代.攻击者系统的性能决定了在多次迭代的情况下破解密码所需的时间.但是您的应用程序不太可能使用这种专用硬件.在不激怒用户的情况下,您可以执行多少次迭代取决于您的系统.
The number of iterations to use is a trade-off between security and user experience. Specialized hardware that can be used by attackers is cheap, but it can still perform hundreds of millions of iterations per second. The performance of the attacker's system determines how long it takes to break a password given a number of iterations. But your application is not likely to use this specialized hardware. How many iterations you can perform without aggravating users depends on your system.
你或许可以让用户多等一会儿 ¾身份验证期间的第二个左右.分析您的目标平台,并尽可能多地使用迭代.我测试过的平台(移动设备上的一个用户,或服务器平台上的许多用户)可以轻松支持 PBKDF2 迭代次数在 60,000 到 120,000 之间,或 bcrypt 成本系数为 12 或 13.
You can probably let users wait an extra ¾ second or so during authentication. Profile your target platform, and use as many iterations as you can afford. Platforms I've tested (one user on a mobile device, or many users on a server platform) can comfortably support PBKDF2 with between 60,000 and 120,000 iterations, or bcrypt with cost factor of 12 or 13.
阅读 PKCS #5 以获取有关盐和迭代在散列中的作用的权威信息.尽管 PBKDF2 旨在从密码生成加密密钥,但它作为密码验证的单向哈希运行良好.bcrypt 的每次迭代都比 SHA-2 哈希更昂贵,因此您可以使用更少的迭代,但想法是相同的.通过使用派生密钥加密众所周知的纯文本,Bcrypt 还超越了大多数基于 PBKDF2 的解决方案.生成的密文与一些元数据一起存储为散列".但是,没有什么能阻止您使用 PBKDF2 做同样的事情.
Read PKCS #5 for authoritative information on the role of salt and iterations in hashing. Even though PBKDF2 was meant for generating encryption keys from passwords, it works well as a one-way-hash for password authentication. Each iteration of bcrypt is more expensive than a SHA-2 hash, so you can use fewer iterations, but the idea is the same. Bcrypt also goes a step beyond most PBKDF2-based solutions by using the derived key to encrypt a well-known plain text. The resulting cipher text is stored as the "hash," along with some meta-data. However, nothing stops you from doing the same thing with PBKDF2.
这里是我写的关于这个主题的其他答案:
Here are other answers I've written on this topic:
这篇关于是“双重散列"吗?密码比散列一次更不安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
