Blowfish Crypt()函数的盐长度? [英] Blowfish salt length for the Crypt() function?
问题描述
根据 crypt()文档,盐需要从字母表./0- 9A-Za-z。
这是他们给出的代码示例:
crypt('rasmuslerdorf','$ 2a $ 07 $ usesomesillystringforsalt $');
第一个令人困惑的部分是salt有25个字符,而不是22.
问题1:这是否意味着盐应该长于 22个字符?
然后我自己测试了函数并注意到了一些东西。如果我使用一个20字符的盐,我得到这个
//使用20字符盐:00000000001111111111
crypt rasmuslerdorf','$ 2a $ 07 $ 00000000001111111111 $');
// $ 2a $ 07 $ 00000000001111111111 $ .6Th1f3O1SYpWaEUfdz7ieidkQOkGKh2
盐,整个盐在输出。这是方便,因为我不必存储在一个单独的地方,然后。 (我想使用随机盐)。我可以从生成的哈希中读取盐。
但是,如果我使用22个字符的盐作为文档说,或更长的一个,
//使用22 char salt:0000000000111111111122
crypt('rasmuslerdorf', '$ 2a $ 07 $ 0000000000111111111122 $');
// $ 2a $ 07 $ 000000000011111111112uRTfyYkWmPPMWDRM / cUAlulrBkhVGlui
//盐的第22个字符走了
//使用25个盐:0000000000111111111122222
crypt('rasmuslerdorf ','$ 2a $ 07 $ 0000000000111111111122222 $');
// $ 2a $ 07 $ 000000000011111111112uRTfyYkWmPPMWDRM / cUAlulrBkhVGlui
//以前生成了相同的哈希值,盐的21个字符在哈希值中
问题2:那么,盐的适当长度究竟是什么? 20? 22?更长?
问题3:此外,在检查密码时,读取哈希值是个好主意?而不是将盐存储在单独的字段中并从那里读取。
河豚盐应该是22个字符长后面的$,所以21) - 你可以双重检查与 var_dump(CRYPT_SALT_LENGTH)
,我现在不能验证,但我的猜测是更少的字符会返回一个错误,更多的字符将被截断。
关于第三个问题:是的,您应该使用嵌入的salt(和cost)参数从哈希本身读取和检查哈希。 / p>
According to the crypt() documentation, the salt needs to be 22 base 64 digits from the alphabet "./0-9A-Za-z".
This is the code example they give:
crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$');
The first confusing part is that salt has 25 characters, not 22.
Question #1: Does that mean the salt is supposed to be longer than 22 characters?
Then I tested the function myself and noticed something. If I use a 20 character salt, I get this
// using 20 char salt: 00000000001111111111
crypt('rasmuslerdorf', '$2a$07$00000000001111111111$');
// $2a$07$00000000001111111111$.6Th1f3O1SYpWaEUfdz7ieidkQOkGKh2
So, when I used a 20 character salt, the entire salt is in the output. Which is convenient, because I do not have to store the salt in a separate place then. (I want to use random salts). I would be able to read the salt back out of the generated hash.
However, if I use a 22 character salt as the documentation says, or a longer one, the salt is cut off at the end.
// using 22 char salt: 0000000000111111111122
crypt('rasmuslerdorf', '$2a$07$0000000000111111111122$');
// $2a$07$000000000011111111112uRTfyYkWmPPMWDRM/cUAlulrBkhVGlui
// 22nd character of the salt is gone
// using 25 char salt: 0000000000111111111122222
crypt('rasmuslerdorf', '$2a$07$0000000000111111111122222$');
// $2a$07$000000000011111111112uRTfyYkWmPPMWDRM/cUAlulrBkhVGlui
// Same hash was generated as before, 21 chars of the salt are in the hash
Question #2: So, what exactly is the proper length of a salt? 20? 22? Longer?
Question #3: Also, is it a good idea to read the salt out of the hash when it is time to check passwords? Instead of storing the salt in a separate field and reading it from there. (Which seems redundant since the salt seems to be included in the hash).
Blowfish salts should be 22 chars long (including the trailing $, so 21) - you can double check with var_dump(CRYPT_SALT_LENGTH)
, I can't verify this now but my guess is that less chars will return an error and more chars will be truncated.
Regarding your third question: yes, you should read and check the hash using the embedded salt (and cost) parameters from the hash itself.
这篇关于Blowfish Crypt()函数的盐长度?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!