Blowfish Crypt（）函数的盐长度？ [英] Blowfish salt length for the Crypt() function?

问题描述

根据 crypt（）文档，盐需要从字母表./0- 9A-Za-z。

这是他们给出的代码示例：

  crypt（'rasmuslerdorf'，'$ 2a $ 07 $ usesomesillystringforsalt $'）; 
 

第一个令人困惑的部分是salt有25个字符，而不是22.

问题1：这是否意味着盐应该长于 22个字符？

然后我自己测试了函数并注意到了一些东西。如果我使用一个20字符的盐，我得到这个

  //使用20字符盐：00000000001111111111 
 crypt rasmuslerdorf'，'$ 2a $ 07 $ 00000000001111111111 $'）; 
 // $ 2a $ 07 $ 00000000001111111111 $ .6Th1f3O1SYpWaEUfdz7ieidkQOkGKh2 
  

盐，整个盐在输出。这是方便，因为我不必存储在一个单独的地方，然后。 （我想使用随机盐）。我可以从生成的哈希中读取盐。

但是，如果我使用22个字符的盐作为文档说，或更长的一个，

  //使用22 char salt：0000000000111111111122 
 crypt（'rasmuslerdorf'， '$ 2a $ 07 $ 0000000000111111111122 $'）; 
 // $ 2a $ 07 $ 000000000011111111112uRTfyYkWmPPMWDRM / cUAlulrBkhVGlui 
 //盐的第22个字符走了
 
 //使用25个盐：0000000000111111111122222 
 crypt（'rasmuslerdorf '，'$ 2a $ 07 $ 0000000000111111111122222 $'）; 
 // $ 2a $ 07 $ 000000000011111111112uRTfyYkWmPPMWDRM / cUAlulrBkhVGlui 
 //以前生成了相同的哈希值，盐的21个字符在哈希值中
  

问题2：那么，盐的适当长度究竟是什么？ 20？ 22？更长？

问题3：此外，在检查密码时，读取哈希值是个好主意？而不是将盐存储在单独的字段中并从那里读取。

解决方案

河豚盐应该是22个字符长后面的$，所以21） - 你可以双重检查与 var_dump（CRYPT_SALT_LENGTH），我现在不能验证，但我的猜测是更少的字符会返回一个错误，更多的字符将被截断。

关于第三个问题：是的，您应该使用嵌入的salt（和cost）参数从哈希本身读取和检查哈希。 / p>

According to the crypt() documentation, the salt needs to be 22 base 64 digits from the alphabet "./0-9A-Za-z".

This is the code example they give:

crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$');

The first confusing part is that salt has 25 characters, not 22.

Question #1: Does that mean the salt is supposed to be longer than 22 characters?

Then I tested the function myself and noticed something. If I use a 20 character salt, I get this

// using 20 char salt: 00000000001111111111
crypt('rasmuslerdorf', '$2a$07$00000000001111111111$');
// $2a$07$00000000001111111111$.6Th1f3O1SYpWaEUfdz7ieidkQOkGKh2

So, when I used a 20 character salt, the entire salt is in the output. Which is convenient, because I do not have to store the salt in a separate place then. (I want to use random salts). I would be able to read the salt back out of the generated hash.

However, if I use a 22 character salt as the documentation says, or a longer one, the salt is cut off at the end.

// using 22 char salt: 0000000000111111111122
crypt('rasmuslerdorf', '$2a$07$0000000000111111111122$');
// $2a$07$000000000011111111112uRTfyYkWmPPMWDRM/cUAlulrBkhVGlui
// 22nd character of the salt is gone

// using 25 char salt: 0000000000111111111122222
crypt('rasmuslerdorf', '$2a$07$0000000000111111111122222$');
// $2a$07$000000000011111111112uRTfyYkWmPPMWDRM/cUAlulrBkhVGlui
// Same hash was generated as before, 21 chars of the salt are in the hash

Question #2: So, what exactly is the proper length of a salt? 20? 22? Longer?

Question #3: Also, is it a good idea to read the salt out of the hash when it is time to check passwords? Instead of storing the salt in a separate field and reading it from there. (Which seems redundant since the salt seems to be included in the hash).

解决方案

Blowfish salts should be 22 chars long (including the trailing $, so 21) - you can double check with var_dump(CRYPT_SALT_LENGTH), I can't verify this now but my guess is that less chars will return an error and more chars will be truncated.

Regarding your third question: yes, you should read and check the hash using the embedded salt (and cost) parameters from the hash itself.

这篇关于Blowfish Crypt（）函数的盐长度？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！