有人能解释BCrypt如何验证哈希？ [英] Can someone explain how BCrypt verifies a hash?

问题描述

我使用C＃和BCrypt.Net哈希我的密码。

例如：

 字符串盐= BCrypt.Net.BCrypt.GenerateSalt（6）;
VAR hashedPassword = BCrypt.Net.BCrypt.HashPassword（密码，盐）;//这个计算结果为真。怎么样？我不告诉它的任何地方盐，也
//它是一个BCrypt实例的成员，因为没有BCRYPT实例。
Console.WriteLine（BCrypt.Net.BCrypt.Verify（密码，hashedPassword））;
Console.WriteLine（hashedPassword）;
 

如何BCrypt与哈希验证密码，如果它不保存任何地方盐。我唯一​​的想法是，它以某种方式在哈希的最后追加盐。

这是一个正确的假设？

解决方案

  

如何BCrypt与哈希验证密码，如果它不保存任何地方盐？

显然它没有做任何这样的事情。盐在某处被保存。

让我们来看看了维基百科上的密码加密方案。从 http://en.wikipedia.org/wiki/Crypt_(Unix）：

  的函数的输出不仅是散列：它是一个文本串也连接codeS的盐，并识别使用的散列算法

。

另外，回答你的<一个href=\"http://stackoverflow.com/questions/5393475/where-to-find-documentation-on-bcrypt-for-net/5393534#5393534\">$p$pvious关于这个问题的问题纳入到一个链接<一个href=\"http://derekslager.com/blog/attachment.ashx/bcrypt-dotnet-strong-password-hashing-for-dotnet-and-mono/BCrypt.cs\">source code 。 而不是要求互联网阅读源$ C ​​$ C你，你总是可以选择自己读它。这可能会得到你的答案更快。源$ C ​​$ C的相关部分是：

 的StringBuilder RS​​ =新的StringBuilder（）;
    rs.Append（$ 2）;
    如果（次要＆GT; ='一'）{
        rs.Append（次要）;
    }
    rs.Append（'$'）;
    如果（轮小于10）{
        rs.Append（'0'）;
    }
    rs.Append（发）;
    rs.Append（'$'）;
    rs.Append（恩codeBase64（saltBytes，saltBytes.Length））;
    rs.Append（恩codeBase64（散列，（bf_crypt_ciphertext.Length * 4） -  1））;
    返回rs.ToString（）;
 

显然返回的字符串是版本信息，随后用轮数，其次是盐EN codeD为base64，其次是哈希连接codeD为base64。

I'm using C# and BCrypt.Net to hash my passwords.

For example:

string salt = BCrypt.Net.BCrypt.GenerateSalt(6);
var hashedPassword = BCrypt.Net.BCrypt.HashPassword("password", salt);

//This evaluates to True. How? I'm not telling it the salt anywhere, nor
//is it a member of a BCrypt instance because there IS NO BCRYPT INSTANCE.
Console.WriteLine(BCrypt.Net.BCrypt.Verify("password", hashedPassword));
Console.WriteLine(hashedPassword);

How is BCrypt verifying the password with the hash if it's not saving the salt anywhere. The only idea I have is that it's somehow appending the salt at the end of the hash.

Is this a correct assumption?

解决方案

How is BCrypt verifying the password with the hash if it's not saving the salt anywhere?

Clearly it is not doing any such thing. The salt has to be saved somewhere.

Let's look up password encryption schemes on Wikipedia. From http://en.wikipedia.org/wiki/Crypt_(Unix) :

The output of the function is not merely the hash: it is a text string which also encodes the salt and identifies the hash algorithm used.

Alternatively, an answer to your previous question on this subject included a link to the source code. Rather than asking the internet to read the source code for you, you could always choose to read it yourself. That would probably get your answer faster. The relevant section of the source code is:

    StringBuilder rs = new StringBuilder();
    rs.Append("$2");
    if (minor >= 'a') {
        rs.Append(minor);
    }
    rs.Append('$');
    if (rounds < 10) {
        rs.Append('0');
    }
    rs.Append(rounds);
    rs.Append('$');
    rs.Append(EncodeBase64(saltBytes, saltBytes.Length));
    rs.Append(EncodeBase64(hashed,(bf_crypt_ciphertext.Length * 4) - 1));
    return rs.ToString();

Clearly the returned string is version information, followed by the number of rounds used, followed by the salt encoded as base64, followed by the hash encoded as base64.

这篇关于有人能解释BCrypt如何验证哈希？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！