密码哈希处理 - 为什么盐6万倍 [英] Password Hashing - Why salt 60,000 times

问题描述

我工作了财富100强公司，我扔进安全的SHA-1移动到SHA-2被负责。这不是我的专业领域，但我研究密码学我质疑过时的信息等等...

1. SHA- 2，显然需要在SHA-1，但是当安全团队知道密码+盐的哈希使用SHA与GPU在开裂十亿哈希是如此可笑的快 - 我不明白为什么密码我不是被告知使用bcrypt或其他相当的慢，为什么呢？




2. 我显示PowerPoint幻灯片中，有人告诉我创造我的盐6万倍。我找遍了互联网，我没有看到任何这种意见或例子。为什么呢？

我使用C＃

 字符串SaltAndPwd = string.Concat（plainTextPassword，盐）; 
 SHA256 SHA2 = SHA256Managed.Create（）; 
字节[] = BUFF sha2.ComputeHash（Encoding.Unicode.GetBytes（SaltAndPwd））; 
  

我想，我不是告诉遍地创造的盐，而是创造哈希一遍又一遍。

请问这个逻辑是合适的？

 字符串plainTextPassword =aF7Cvs + QzZKM = 4！; 
串盐=o9kc5FvhWQU ==; 
 SHA256 SHA2 = SHA256Managed.Create（）; 
 
为（VAR I = 0;我LT&= 60000;我++）
 {
字节[] = BUFF sha2.ComputeHash（Encoding.Unicode.GetBytes（SaltAndPwd）） ; 
} 
  

如何让我这个散列正常工作？

更新中发现的PowerPoint幻灯片

的

更新与代码 - 问题与哈希验证实施

问题是，当我使用上我想
如果（resultHash.Equals（hassPassword）），它不匹配...

$ b代码检查
$ b

 公共字符串BuildVerify（）
 {
 
字符串密码=; 
串盐=; 
字节[]的结果;使用（VAR SHA256 = SHA256.Create（））
 {
密码=气垫船
 
 
; 
 
 //第1步：您可以使用RNGCryptoServiceProvider的东西值得使用
变种passwordHashing =新PasswordHashing（）; 
盐= passwordHashing.CreateRandomSalt（）; 
 
 //步骤2 
串散列= 
 Convert.ToBase64String（sha256.ComputeHash（Encoding.UTF8.GetBytes（盐+密码）））; 
 
 //第3步
结果= sha256.ComputeHash（Encoding.UTF8.GetBytes（盐+哈希））; 
 
 //第4步
的for（int i = 0; I< 60000;我++）
 {
结果= 
 sha256.ComputeHash（编码.UTF8.GetBytes（盐+ Convert.ToBase64String（结果）））; 
} 
} 
 
 
 //测试核实这一工程.. 
 
串SaltAndPwd = string.Concat（口令，盐）; 
 SHA256 SHA2 = SHA256Managed.Create（）; 
字节[] = BUFF sha2.ComputeHash（Encoding.Unicode.GetBytes（SaltAndPwd））; 
串resultHash = Convert.ToBase64String（BUFF）; 
串hassPassword = Convert.ToBase64String（结果）; 
 
如果（resultHash.Equals（hassPassword））
 {
 //完美
} 
 
 
 
 
返回; 
 
} 
 
 
公共类PasswordHashing 
 {
 
公共字符串CreateRandomSalt（）
 {
字符串密码=; 
密码= HashPassword.CreateSalt（8）+=; 
密码= password.Replace（/，C）; 
返回密码; 
} 
 
} 
  

///

 公共静态字符串CreateSalt（INT大小）
 {
 RNGCryptoServiceProvider RNG =新RNGCryptoServiceProvider（）; 
 
字节[] = BUFF新的字节[大小] 
 rng.GetBytes（BUFF）; 
返回Convert.ToBase64String（BUFF）; 
} 
  

新问题
想通，我会继续前进，创造一个新的问题，谢谢大家提前。
不工作 - 完整的代码所示

解决方案

我不明白为什么密码我不被告知使用bcrypt或其他相当的缓慢。

我猜这就是为什么他们会问你哈希60000时间。要添加一个工作因素，减缓暴力攻击。

如何让我这个散列正常工作？

事情是这样的：使用（VAR SHA256

  = SHA256.Create（））
 {
字符串密码=气垫船; 
 
 //第1步：您可以使用RNGCryptoServiceProvider的东西值得使用
串盐= GenerateSalt（）; 
 
 //步骤2 
串散列= 
 Convert.ToBase64String（sha256.ComputeHash（Encoding.UTF8.GetBytes（盐+密码）））; 
 
 //第3步
的byte []结果= sha256.ComputeHash（Encoding.UTF8.GetBytes（盐+哈希））; 
 
 //第4步
的for（int i = 0; I< 60000;我++）
 {
结果= 
 sha256.ComputeHash（编码.UTF8.GetBytes（盐+ Convert.ToBase64String（结果）））; 
} 
} 
  

I'm working for a Fortune 100 company and I'm thrown into being tasked with security moving from SHA1 to SHA-2 . This is not my area of expertise, but as I study cryptography I am questioning the outdated information etc...

1. SHA-2 is obviously needed over SHA-1 but when the security team KNOWS that the hashing of password + salt is using SHA, with GPU being so ridiculously fast at cracking billions of hashes - I do not get why for passwords i'm not being told to use bcrypt or another equivalent that is slow , WHY?

2. I'm shown a powerpoint slide in which i'm told to create my salt 60,000 times. I searched all over the internet and I'm not seeing any such advise or examples. Why?

I'm using C#

string SaltAndPwd = string.Concat(plainTextPassword, salt);
SHA256 sha2 = SHA256Managed.Create();
byte[] buff = sha2.ComputeHash(Encoding.Unicode.GetBytes(SaltAndPwd));

I suppose that I'm not told to create a salt over and over, but to create the hash over and over.

Would this logic be appropriate?

string plainTextPassword = "aF7Cvs+QzZKM=4!";  
string salt = "o9kc5FvhWQU==";
SHA256 sha2 = SHA256Managed.Create();

for(var i = 0; i <= 60000; i++)
{
   byte[] buff = sha2.ComputeHash(Encoding.Unicode.GetBytes(SaltAndPwd));
}

How do I make this hashing to work properly?

Update found the powerpoint slide

Update with Code - Problem with implementation on verification of the hash

Problem is when I use the check on the code I'm trying if (resultHash.Equals(hassPassword)) and it does not match...

    public string BuildVerify()
    {

        string password = "";
        string salt = "";
        byte[] result;


        using (var sha256 = SHA256.Create())
        {
            password = "hovercraft";

            // step 1: you can use RNGCryptoServiceProvider for something worth using
            var passwordHashing = new PasswordHashing();
            salt = passwordHashing.CreateRandomSalt();

            // step 2
            string hash =
               Convert.ToBase64String(sha256.ComputeHash(Encoding.UTF8.GetBytes(salt + password)));

            // step 3
            result = sha256.ComputeHash(Encoding.UTF8.GetBytes(salt + hash));

            // step 4
            for (int i = 0; i < 60000; i++)
            {
                result =
                 sha256.ComputeHash(Encoding.UTF8.GetBytes(salt + Convert.ToBase64String(result)));
            }
        }


        // TESTING  VERIFY this works ..

        string SaltAndPwd = string.Concat(password, salt);
        SHA256 sha2 = SHA256Managed.Create();
        byte[] buff = sha2.ComputeHash(Encoding.Unicode.GetBytes(SaltAndPwd));
        string resultHash = Convert.ToBase64String(buff);
        string hassPassword = Convert.ToBase64String(result);

        if (resultHash.Equals(hassPassword))
        {
            // perfect 
        }




        return "";

    }


public class PasswordHashing
{

    public string CreateRandomSalt()
    {
        string password = "";
        password = HashPassword.CreateSalt(8) + "=";
        password = password.Replace("/", "c");
        return password;
    }

}

///

    public static string CreateSalt(int size)
    {
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

        byte[] buff = new byte[size];
        rng.GetBytes(buff);
        return Convert.ToBase64String(buff);
    }

NEW Question figured that I would go ahead and create a new question , thanks everyone in advance. Verification of Hashing password is not working - complete code shown

解决方案

I do not get why for passwords i'm not being told to use bcrypt or another equivalent that is slow

I'm guessing this is why they're asking you to hash 60000 time. To add a work factor and slow down brute force attacks.

How do I make this hashing to work properly?

Something like this:

using (var sha256 = SHA256.Create())
{
    string password = "hovercraft";

    // step 1: you can use RNGCryptoServiceProvider for something worth using
    string salt = GenerateSalt();

    // step 2
    string hash = 
       Convert.ToBase64String(sha256.ComputeHash(Encoding.UTF8.GetBytes(salt + password)));

    // step 3
    byte[] result = sha256.ComputeHash(Encoding.UTF8.GetBytes(salt + hash));

    // step 4
    for (int i = 0; i < 60000; i++)
    {
        result = 
         sha256.ComputeHash(Encoding.UTF8.GetBytes(salt + Convert.ToBase64String(result)));
    }
}

这篇关于密码哈希处理 - 为什么盐6万倍的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！