在表格和数字认证存储密码 [英] Storing password in tables and Digest authentication
问题描述
如何存储在表中的网站用户的密码主题想出了好几次关于SO和一般的建议是存储密码,最终的HMAC哈希散列。这工作正常基本身份验证或基于表单的身份验证(实际上是一样的东西)。我的问题是,我必须也提供摘要式身份验证,目的是连接到我的服务自动化工具。我一直在寻找这个问题,因为我看到它,我可以存储唯一的散列的的哈希用户名:境界:密码。这样我可以证实这两个基本/表格和摘要。
The subject of how to store web site users passwords in tables has come up several times on SO and the general advice is to store a hash of the password, eventually an HMAC hash. This works fine for Basic authentication or for forms based authentication (really the same thing). My problem is that I must provide also Digest authentication, aimed at the automated tools connecting to my service. I've been looking at this problem and as I see it, the only hash I can store is the HA1 part of the Digest: the hash of username : realm : password. This way I can validated both Basic/forms and Digest.
我的问题是,我不认为这样做任何好处。现在,如果他得到了我的密码表保持的确是一个攻击者不能使用基本或基于表单的身份验证(因为他只有散列值,他需要发出明确的密码),但没有prevents他使用摘要式身份验证,并给予我的服务难题的有效回应:他只是从表中的pre-计算HA1开始,并继续从那里响应的各具特色的(即我会做同样的事情来验证用户在后台结束)。
My problem is that I don't see any benefit in doing so. Now indeed an attacker cannot use Basic or forms based authentication if he gets hold of my password table (since he only has the hashed value and he needs to send the clear password), but nothing prevents him from using Digest authentication and give a valid response to my service challenge: he simply starts from the pre-computed HA1 from the table and continues the crafting of the response from there (ie. the same thing I'd do to validate a user on the back-end).
我缺少的东西吗?是否加精华的要求基本上使得哈希的存储从安全POV密码的无操作,充其量是混淆?
Am I missing something? Does the addition of Digest requirement basically makes the storing of hashed passwords a no-op from security pov, an obfuscation at best?
推荐答案
我使用pre-计算哈希值的原因是不免受攻击的保护,但是确保用户的隐私。
The reason I am using pre-computed hashes is not protection against attacks, but to secure users privacy.
确实攻击者可以验证,但他不能(容易)看看我的precious用户的密码,并影响他们使用等其他服务。
Attacker can indeed authenticate, but he cannot (easily) see password of my precious users and compromise other services they are using etc.
这篇关于在表格和数字认证存储密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
