在mongodb中加密密码字段 [英] Encrypt password fields in mongodb
问题描述
我有以下代码,将 userName
和密码
插入到数据库
中,但密码为以纯文本格式存储。我的意思是当我查看db可以看到插入的密码。
I have following code, it insert the userName
and password
into database
but the password is stored in plain text format. I mean when I'll look into the db I can see the inserted password.
我想在加密
格式中存储密码
/ p>
I want to store password
in encrypted
format
MongoClient client = new MongoClient("localhost",27017);
DB db = client.getDB("Test");
DBCollection collection = db.getCollection("EncryptionDemo");
BasicDBObject documentDetail = new BasicDBObject();
documentDetail.put("userName", "admin12");
documentDetail.put("password", "12345");
collection.insert(documentDetail);
我该如何实现?
推荐答案
根据评论中的对话,您的意思是密码,密码,密码不加密。你通常会用盐来防止彩虹台的袭击。将密码存储为盐化散列是在数据库中存储密码时的最佳做法标准。
According to the conversation in the comments, what you mean is hashing passwords, not encrypting passwords. You usually would do this with a salt to prevent a rainbow table attack. Storing passwords as salted hashes is the best practice standard when it comes to storing passwords in databases.
从版本3.2起,MongoDB没有本机支持密码散列,如某些SQL数据库提供,所以你必须用Java实现它。
As of version 3.2, MongoDB has no native support for password hashing like some SQL databases provide, so you will have to implement it in Java.
要生成一个新帐户或更改现有帐户的密码:
To generate a new account or change the password of an existing account:
- 使用
java.security.SecureRandom
。该类的工作方式与标准随机数生成器java.util.Random
(它是一个子类),但是对于与安全性相关的上下文所需的更高级别的不可预测性,交易性能。 - 通过连接盐和密码创建一个字符串
- 使用加密安全的哈希函数生成该字符串的哈希值。 Java提供的许多散列函数都是开箱即用的,但是您希望使用有意尝试使用数据库访问来减慢攻击者的数据库访问,从而强制在本地超级计算机集群上进行散列。一个好的候选人是PBKDF2WithHmacSHA1算法,它由
javax.crypto.SecretKeyFactory
类。 - 将文档保存到MongoDB,字段
用户名
,password_hash
和password_salt
(加上您的实际应用数据,当然)。不要保存原始密码。
- generate a cryptographically secure random salt value with
java.security.SecureRandom
. This class works just like the standard random number generatorjava.util.Random
(it's a subclass) but trades performance for a much higher level of non-predictability which is required for a security-relevant context. - Create a string by concatenating salt and password
- Generate a hash of that string with a cryptographically secure hash function. There are many hash functions provided by Java out-of-the-box, but you want to use one which is intentionally hard to compute to slow down an attacker with database access trying to brute-force your hashes on their local supercomputer cluster. A good candidate is the "PBKDF2WithHmacSHA1" algorithm which is supported by the
javax.crypto.SecretKeyFactory
class. - Save the document to MongoDB with the fields
username
,password_hash
andpassword_salt
(plus your actual application data, of course). Do not save the original password.
要检索帐户:
- 读取您所登录的用户输入的
username_input
和password_input
- 检索
用户名
与用户提供的username_input
的文档。 - 从该文档获取
password_salt
字段 - 通过连接
创建一个字符串password_alt $ / code> password_input
就像你以前一样。 - 使用相同的密码生成该字符串的哈希值安全哈希函数。
- 将哈希与文档的
password_hash
字段进行比较。当匹配时,用户输入正确的密码。
- Read the
username_input
andpassword_input
the alleged user entered into your login form. - Retrieve the document where the
username
matches theusername_input
the user provided. - Get the
password_salt
field from that document - Create a string by concatenating
password_salt
andpassword_input
just like you did before. - Generate a hash of that string with the same cryptographically secure hash function.
- Compare the hash with the
password_hash
field of the document. When it matches, the user entered the correct password.
您也可以只检索文档的password_hash和password_salt字段,而不加载在用户认证之前的其余部分,但我认为在现实世界中,它将导致比保存更多的负载。成功的登录通常会大大超过不成功的登录名,除非你有一个攻击者试图强制一个帐户。在这种情况下,您可以使用 fail2ban 或其他登录限制机制来阻止攻击者。
You could alternatively only retrieve the password_hash and password_salt fields of the document and not load the rest before the user is authenticated, but I would assume that in the real world it will cause more load than it would save. Successful logins will usually greatly outnumber the unsuccessful ones, unless you have an attacker who tries to brute-force an account. And in that case you would block the attacker with fail2ban or another login-limiting mechanism.
这篇关于在mongodb中加密密码字段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!