PHP隐窝和盐 - 请澄清更多 [英] PHP crypt and salt - more clarification please

问题描述

我昨天在这里，得到了一些非常好的答案。我把我收到的东西放在一起，我认为这将是一个相当安全的算法。我有一个问题，使用带有for循环的blowfish产生盐。

我使用base64字符和for循环来获取一个随机字符串。我想要这个生成的字符串，并将其插入到crypt函数中作为盐。

由于关于blowfish的文档如此稀疏，PHP文档并不真的甚至提到它，我在这里黑暗中刺伤。

真奇怪的是，如果你现在运行这个代码，它会不失败。删除 来自crypt函数的for循环或上方的$ $ $ $ $ $ $，并且将间断地返回一个加密的字符串。我对blowfish的理解是，加密的字符串必须以$ 2a $ 07 $开头，以$结尾，因此crypt函数中的连接，我真的不需要上面的开始字符串for循环，只是想摆脱它。

我还要澄清有关存储随机盐的最佳做法，无论是在数据库还是通过将数据库中的crypt函数的输出存储在数据库中？

昨天，没有真正的代码被抛出，只是讨论，我想放一些代码今天在一起，有一些相当安全的地方，如果有人可以提出一个更好的算法，我总是开放。

  $ base64 ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /'; 
 $ salt ='$ 2a $ 07 $'; 
 
（$ i = 0; $ i< 60; $ i ++）
 {
 $ salt。= $ base64 [rand（0,63）]; 
} 
 
 return crypt（'password'，'$ 2a $ 07 $ 。$ salt。'$'）; 
  

解决方案

crypt（）不喜欢 + 盐中的char，还有很多其他特殊字符（ * ，％等）。如果你把它们过滤出来，它应该在每一次尝试（而不需要重复salt id字符串）。

I was here yesterday and got some really great answers. I took what I got and put together, what I think will be a fairly secure algorithm. I'm having a problem using blowfish with a for loop that generates the salt.

I'm using base64 characters and a for loop to get a random string. I want to take this generated string and insert it into the crypt function as the salt.

Because the documentation about blowfish is so sparse and the PHP docs don't really even mention it, I'm sort of stabbing in the dark here.

The really strange thing is if you run this code the way it is now, it will not fail. Remove either the '$2a$07$' from above the for loop or from the crypt function and it will intermittently return an encrypted string. My understanding of blowfish is that the encrypted string must begin with '$2a$07$' and end in "$' hence the concatenation in the crypt function. I really don't need the beginning string above the for loop and just wanted to get rid of it.

I also would like clarification about the best practice on storing the random salt, either in the database or by storing the output of the crypt function in the database?

Yesterday, there was no real code being thrown around, just discussion. I'd like to put some code together today and have something that is fairly secure in place. If anyone can come up with a better algorithm, I'm always open.

$base64 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
$salt = '$2a$07$';

for($i=0; $i<60; $i++)
{
    $salt .= $base64[rand(0,63)];
}

return crypt('password', '$2a$07$'.$salt.'$');

解决方案

It seems that the crypt() dislikes + char in the salt, and a lot of other special chars as well (*, % etc). If you filter them out it should work on every try (and no need repeating the salt id string).

这篇关于PHP隐窝和盐 - 请澄清更多的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！