在Windows商店应用密码哈希 [英] Password hashing in Windows store app

问题描述

我写我的应用程序的认证服务。客户端将通过HTTP连接到这个验证服务注册或连接。他们已经建立连接后，他们将获得一个sessionkey，他们可以使用加密的TCP / UDP数据包发送到辅助服务器。这还是WIP如此，只是给你一个大画面 - 概述。

I am writing an authentication Service for my app. Clients will connect via HTTP to this Authentication service to register or connect. After they have connected, they will receive a sessionkey, that they can use the encrypt TCP / UDP packets send to a secondary server. That is still WIP so, just to give you a big-picture-overview.

Serverside集团，我使用BCrypt散列传入密码。并存储在数据库中。 Serverside集团，我也用BCrypts验证方法与存储的哈希来检查任何传入密码。所以，基本上工作。

Serverside, i use BCrypt to hash the incoming password. and store that in a database. Serverside, I also use BCrypts Verify method to check any incoming password with the stored hash. So that basically works.

不过，我自然不想通过电汇的散列的口令。没有BCrypt为Windows Store应用程序，但我发现了一些MSDN示例代码演示了如何使用新的加密API的Windows Store应用程序哈希字符串，像这样：

However, i naturally dont want to transfer an unhashed password over the wire. There is no BCrypt for Windows Store apps, but I found some MSDN sample code demonstrating how to use the new Cryptography API for Windows Store apps to hash a string, like so:

    public static string Hash(string password)
    {
        HashAlgorithmProvider provider = 
            HashAlgorithmProvider.OpenAlgorithm(HashAlgorithmNames.Sha512);

        CryptographicHash hash = provider.CreateHash();

        IBuffer buffer = CryptographicBuffer.ConvertStringToBinary(password, BinaryStringEncoding.Utf16BE);
        hash.Append(buffer);
        IBuffer hashedBuffer = hash.GetValueAndReset();

        return CryptographicBuffer.EncodeToBase64String(hashedBuffer);
    }

我打算在连接到服务，而不是仅限于Windows Store应用程序的各种客户端（也是传统的Windows桌面应用程序）。所以很自然，我想哈希密码客户端的一的方式。

I plan to have various clients connecting to the service, not only windows store apps (also traditional Windows Desktop Apps). So naturally i want "one" way of hashing the password client side.

我需要额外的安全机制的意见，我应该实现，如果哈希使用SHA512，如密码客户方在上面的代码所示，是足够，它传输到服务器时（而这又哈希存放之前，盐的话）。

I need advice on additional security mechanisms i should implement and if hashing the password clientside using SHA512, like demonstrated in the code above, is "enough" when transmitting it to the server (which again hashes and salts it before storing).

推荐答案

执行任何种类的认证不使用TLS保护你留下的漏洞。 Bcrypt服务器端可以给你对被盗数据库的攻击有限的保护。发送（散列）密码过线然而然而，应该考虑到安全风险未受保护

Performing any kind of authentication without TLS protection leaves you with vulnerabilities. Bcrypt server side can give you limited protection against attacks on a stolen database. Sending (hashed) passwords unprotected over the line however should however be considered a security risk.

应该有可能引入至少一种盐和一个工作因素，以在客户端。这些参数可以从服务器端，因为它们需要保持恒定检索。然后，你可以使用brypt客户端。你说，这不是在API中可用，但不应该关心你。 Bcrypt只是一个算法会有它的实现可在网上。

It should be possible to introduce at least a salt and a work factor to the client side. These parameters could be retrieved from the server side as they need to remain constant. Then you could use brypt client side. You say that it isn't available in the API, but that should not concern you. Bcrypt is just an algorithm and there will be implementations of it available online.

蛮力攻击和字典攻击仍然将提供给攻击者（窃听），但他们更难完成，让您有限的保护与适度强密码的用户（如果客户端代码可以信任）。

Brute force attacks and dictionary attacks would still be available to an attacker (eavesdropper), but they would be harder to accomplish, giving you limited protection for the users with moderately strong passwords (if the client code can be trusted).

这篇关于在Windows商店应用密码哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！