在C＃中的哈希和盐密码 [英] Hash and salt passwords in C#

问题描述

我正要通过<一个DavidHayden的文章之一href=\"http://web.archive.org/web/20120413180026/http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx\">Hashing用户密码。

我真的不能得到什么，他正在努力实现的。

Really I can't get what he is trying to achieve.

下面是他的code：

private static string CreateSalt(int size)
{
    //Generate a cryptographic random number.
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
    byte[] buff = new byte[size];
    rng.GetBytes(buff);

    // Return a Base64 string representation of the random number.
    return Convert.ToBase64String(buff);
}

private static string CreatePasswordHash(string pwd, string salt)
{
    string saltAndPwd = String.Concat(pwd, salt);
    string hashedPwd =
        FormsAuthentication.HashPasswordForStoringInConfigFile(
        saltAndPwd, "sha1");
    return hashedPwd;
}

是否有散列密码，并加入盐的任何其他C＃方法？

Is there any other C# method for hashing passwords and adding salt to it?

推荐答案

其实这是一种奇怪的，用字符串转换 - 其成员资格提供确实将他们纳入配置文件。哈希和盐是二进制的斑点，除非你想要把它们放到文本文件，你并不需要将它们转换为字符串。

Actually this is kind of strange, with the string conversions - which the membership provider does to put them into config files. Hashes and salts are binary blobs, you don't need to convert them to strings unless you want to put them into text files.

在我的书中，<一个href=\"http://www.wrox.com/WileyCDA/WroxTitle/Beginning-ASP-NET-Security.productCd-0470743654.html\">Beginning ASP.NET安全，（哦，最后借口皮条客书）我做了以下

In my book, Beginning ASP.NET Security, (oh finally, an excuse to pimp the book) I do the following

static byte[] GenerateSaltedHash(byte[] plainText, byte[] salt)
{
  HashAlgorithm algorithm = new SHA256Managed();

  byte[] plainTextWithSaltBytes = 
    new byte[plainText.Length + salt.Length];

  for (int i = 0; i < plainText.Length; i++)
  {
    plainTextWithSaltBytes[i] = plainText[i];
  }
  for (int i = 0; i < salt.Length; i++)
  {
    plainTextWithSaltBytes[plainText.Length + i] = salt[i];
  }

  return algorithm.ComputeHash(plainTextWithSaltBytes);            
}

的盐生成是作为问题的例子。可以使用 Encoding.UTF8.GetBytes（字符串）文本转换为字节数组。如果必须在哈希转换成字符串再presentation可以使用 Convert.ToBase64String 和 Convert.FromBase64String 将其转换回。

The salt generation is as the example in the question. You can convert text to byte arrays using Encoding.UTF8.GetBytes(string). If you must convert a hash to its string representation you can use Convert.ToBase64String and Convert.FromBase64String to convert it back.

您应该注意的是不能使用的字节数组等于运算符，它会检查引用，所以你应该简单地通过两个阵列从而检查每个字节循环​​

You should note that you cannot use the equality operator on byte arrays, it checks references and so you should simply loop through both arrays checking each byte thus

public static bool CompareByteArrays(byte[] array1, byte[] array2)
{
  if (array1.Length != array2.Length)
  {
    return false;
  }

  for (int i = 0; i < array1.Length; i++)
  {
    if (array1[i] != array2[i])
    {
      return false;
    }
  }

  return true;
}

始终每密码使用新的盐。盐不必须保持秘密，可以存储沿着散列本身

Always use a new salt per password. Salts do not have to be kept secret and can be stored alongside the hash itself.

这篇关于在C＃中的哈希和盐密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！