加密,哈希和密码问题,总的noob? [英] Crypto, hashes and password questions, total noob?
问题描述
我已经阅读了关于这个主题的几个stackoverflow帖子,特别是这一个:
I've read several stackoverflow posts about this topic, particularly this one:
但我还有几个问题,我需要一些澄清,请让我知道以下声明是否真实,并解释您的意见:
but I still have a few questions, I need some clarification, please let me know if the following statements are true and explain your comments:
-
如果有人访问您的数据库/数据,那么他们仍然必须找出你的哈希算法,你的数据仍然会有点安全,取决于你的算法?
If someone has access to your database/data, then they would still have to figure out your hashing algorithm and your data would still be somewhat secure, depending on your algorithm? All they would have is the hash and the salt.
如果有人访问你的数据库/数据和你的源代码,那么看起来不管是什么你的做法,你的哈希算法可以逆向工程,你唯一会在你身边会是复杂和耗时的算法是什么?
If someone has access to your database/data and your source code, then it seems like no matter what your do, your hashing algorithm can be reversed engineered, the only thing you would have on your side would be how complex and time consuming your algorithm is?
似乎最薄弱的环节是:你自己的系统有多安全,谁有权访问它?
It seems like the weakest link is: how secure your own systems are and who has access to it?
Lasse V. Karlsen ...提出一个好点,如果你的数据被破坏,然后游戏结束...我的跟进问题是:什么类型的攻击是这些散列试图保护?我已经阅读关于彩虹表和字典攻击(暴力),但这些攻击是如何管理的?
Lasse V. Karlsen ... brings up a good point, if your data is compromised then game over ... my follow up question is: what types of attacks are these hashes trying to protect against? I've read about rainbow table and dictionary attacks (brute force), but how are these attacks administered?
推荐答案
你的问题是使用密码作为认证机制,以及如何使用哈希将这些密码安全地存储在数据库中。您可能已经知道目标是能够验证密码,而不存储这些密码,我在数据库中清除文本。在这方面,让我尝试回答您的每个问题:
You question is about using passwords as an authentication mechanism and how to securely store these passwords in a database using a hash. As you probably already know the goal is to be able to verify passwords without storing these passwords i clear text in the database. In this context let me try to answer each of your questions:
如果有人访问您的数据库/数据,找出你的哈希算法,你的数据仍然会有点安全,取决于你的算法?他们所有的都是哈希和盐。
If someone has access to your database/data, then they would still have to figure out your hashing algorithm and your data would still be somewhat secure, depending on your algorithm? All they would have is the hash and the salt.
哈希密码的基本思想是攻击者知道哈希算法并且可以访问哈希和盐。通过选择密码强散列函数和对于每个密码不同的合适的盐值,猜测密码所需的计算量是如此之高,使得成本超过攻击者可以通过猜测密码可能获得的可能的增益。因此,要回答您的问题,隐藏哈希函数不会提高安全性。
The basic idea of hashing passwords is that the attacker has knowledge of the hashing algorithm and has access to both the hash and the salt. By selecting a cryptographic strong hash function and a suitable salt value that is different for each password the computational effort required to guess the password is so high that the cost exceeds the possible gain the attacker can get from guessing the password. So to answer your question, hiding the hash function does not improve the security.
如果有人访问您的数据库/数据和源代码,那么看起来不管你做什么,你的哈希算法可以逆向工程,你唯一会在你身边会是复杂和耗时的算法是什么?
If someone has access to your database/data and your source code, then it seems like no matter what your do, your hashing algorithm can be reversed engineered, the only thing you would have on your side would be how complex and time consuming your algorithm is?
你应该总是使用一个众所周知的(并且适当强)哈希算法,并且逆向工程这个算法没有意义,因为你的代码没有隐藏任何东西。如果您不是指反向工程,而是实际上反向,那么,密码受到反转哈希函数的复杂性的保护(或猜测与哈希匹配的密码值)。好的哈希函数使得这很难。
You should always use a well-known (and suitably strong) hashing algorithm, and reverse engineering this algorithm is not meaningful as there is nothing hidden in your code. If you didn't mean reverse engineer but actually reverse then, yes, the passwords are protected by the complexity of reversing the hash function (or guessing a password that matches a hash value). Good hash functions makes this very hard.
似乎最弱的链接是:你自己的系统有多安全,谁有权访问它?
It seems like the weakest link is: how secure your own systems are and who has access to it?
一般来说这是真的,但是当通过将密码存储为哈希来保护密码时,你应该假设攻击者
In general this is true, but when it comes to securing passwords by storing them as hashes you should still assume that the attacker has full access to the hashes and design your system accordingly by choosing an appropriate hash function and using salts.
这些哈希值试图进行什么类型的攻击保护?我已经阅读关于彩虹表和字典攻击(暴力),但是如何管理这些攻击?
What types of attacks are these hashes trying to protect against? I've read about rainbow table and dictionary attacks (brute force), but how are these attacks administered?
散列防护是当攻击者访问您的数据库时。无法从数据库读取明文密码,并且密码受到保护。
The basic attack that password hashing protects against is when the attacker gets access to your database. The clear text password cannot be read from the database and the password is protected.
更复杂的攻击者可以生成可能的密码列表,并使用相同的算法计算散列像你一样。然后,他可以将计算的散列与存储的散列进行比较,如果他找到匹配,则他具有有效的密码。这是一个强力攻击,通常假设攻击者对数据库具有离线访问权限。通过要求用户使用长而复杂的密码,强制强制密码所需的努力显着增加。
A more sophisticated attacker can generate a list of possible passwords and compute the hash using the same algorithm as you. He can then compare the computed hash to the stored hash and if he finds a match he has a valid password. This is a brute force attack and it is generally assumed that the attacker has "offline" access to your database. By requiring the users to use long and complex passwords the effort required to "brute force" a password is significantly increased.
当攻击者不想攻击一个密码,数据库中的所有密码都可以预先计算并且通过使用所谓的散列链来进一步改进大的密码表和散列值对。彩虹表是这个想法的应用,可以用于同时强制许多密码,而不显着增加工作量。然而,如果使用唯一的盐来计算每个密码的散列,则预计算的表变得无用,因为它对于每个盐是不同的,并且不能被重复使用。
When the attacker wants to attack not one password, but all the passwords in the database a large table of passwords and hash value pairs can be precomputed and further improved by using what is called hash chains. Rainbow tables is an application of this idea and can be used to brute force many passwords simultaneously without increasing the effort significantly. However, if a unique salt is used to compute the hash for each password a precomputed table becomes useless as it is different for each salt and cannot be reused.
up:通过隐身的安全性不是保护敏感信息的好策略,现代密码学允许您在不必求助于隐晦的情况下保护信息。
To sum it up: Security by obscurity is not a good strategy for protecting sensitive information and modern cryptography allows you to secure information without having to resort to obscurity.
这篇关于加密,哈希和密码问题,总的noob?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
