BCrypt说很久,类似的密码是相当的 - 与我,宝石或加密领域有问题吗? [英] BCrypt says long, similar passwords are equivalent - problem with me, the gem, or the field of cryptography?
问题描述
需要 'bcrypt' #bcrypt-红宝石的宝石,2.1.2版
@ long_string_1 = 'f287ed6548e91475d06688b481ae8612fa060b2d402fdde8f79b7d0181d6a27d8feede46b833ecd9633b10824259ebac13b077efb7c24563fce0000670834215'
@ long_string_2 = 'f6ebeea9b99bcae4340670360674482773a12fd5ef5e94c7db0a42800813d2587063b70660294736fded10217d80ce7d3b27c568a1237e2ca1fecbf40be5eab8'
高清盐腌(串)
@ long_string_1 + string + @ long_string_2
end
encrypted_password = BCrypt :: Password.create(salted('password'),:cost => 10)
puts encrypted_password#=> $ 2a $ 10 $ kNMF / ku6VEAfLFEZKJ.ZC.zcMYUzvOQ6Dzi6ZX1UIVPUh5zr53yEu
password = BCrypt :: Password.new(encrypted_password)
puts password.is_password?(salted('password') )#=> true
puts password.is_password?(salted('passward'))#=> true
puts password.is_password?(salted('75747373'))#=> true
puts password.is_password?(salted('passwor'))#=>假
起初我以为一旦密码达到一定长度,这个不一样就会丢失在所有散列中,只有当它们非常不同(即不同长度)时,它们将被认为是不同的。这对我来说似乎不太合理,从我所知道的哈希函数,但我没有看到更好的解释。
然后,我尝试缩短每个long_strings,看看BCrypt可以开始分开的地方,我发现如果我将每个长字符串缩短到100个字符左右,最终尝试('passwor')也将开始返回true。所以现在我不知道该怎么想。
这是什么解释?
的好消息是,加密的数学基础尚未解决。 :)
坏消息是有一个 bcrypt.c中的8位密钥长度限制,这是默认失败:
uint8_t key_len,salt_len,logr,minor;
然后稍后:
key_len = strlen(key)+(minor> ='a'?1:0);
您传递加密的内容是263个字符,但它只考虑8个字符。所以你只需要比较字符串的第一部分。
然而,当我减去<$ c $的长度时,它对我来说可以正常工作c> long_string s,所以如果你确实在255以下的范围内遇到可能与其他事情有关的问题。
I've been experimenting with BCrypt, and found the following. If it matters, I'm running ruby 1.9.2dev (2010-04-30 trunk 27557) [i686-linux]
require 'bcrypt' # bcrypt-ruby gem, version 2.1.2
@long_string_1 = 'f287ed6548e91475d06688b481ae8612fa060b2d402fdde8f79b7d0181d6a27d8feede46b833ecd9633b10824259ebac13b077efb7c24563fce0000670834215'
@long_string_2 = 'f6ebeea9b99bcae4340670360674482773a12fd5ef5e94c7db0a42800813d2587063b70660294736fded10217d80ce7d3b27c568a1237e2ca1fecbf40be5eab8'
def salted(string)
@long_string_1 + string + @long_string_2
end
encrypted_password = BCrypt::Password.create(salted('password'), :cost => 10)
puts encrypted_password #=> $2a$10$kNMF/ku6VEAfLFEZKJ.ZC.zcMYUzvOQ6Dzi6ZX1UIVPUh5zr53yEu
password = BCrypt::Password.new(encrypted_password)
puts password.is_password?(salted('password')) #=> true
puts password.is_password?(salted('passward')) #=> true
puts password.is_password?(salted('75747373')) #=> true
puts password.is_password?(salted('passwor')) #=> false
At first I thought that once the passwords got to a certain length, the dissimilarities would just be lost in all the hashing, and only if they were very dissimilar (i.e. a different length) would they be recognized as different. That didn't seem very plausible to me, from what I know of hash functions, but I didn't see a better explanation.
Then, I tried shortening each of the long_strings to see where BCrypt would start being able to tell them apart, and I found that if I shortened each of the long strings to 100 characters or so, the final attempt ('passwor') would start returning true as well. So now I don't know what to think.
What's the explanation for this?
The good news is, the mathematical foundations of encryption haven't been dissolved. :)
The bad news is that there's an 8-bit key length limit in bcrypt.c which is silently failing:
uint8_t key_len, salt_len, logr, minor;
Then later:
key_len = strlen(key) + (minor >= 'a' ? 1 : 0);
What you're passing in for encryption is 263 characters, but it winds up thinking it's only 8. So you're getting comparisons on only the very first part of the strings.
However, it works fine for me when I pare down the length of the long_strings, so if you actually do get a problem in the sub-255-total range that may be related to something else.
这篇关于BCrypt说很久,类似的密码是相当的 - 与我,宝石或加密领域有问题吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
