使用salt n hash和postgresql中的登录角色登录详细信息安全性 [英] Login details security using salt n hash and a login role in postgresql

问题描述

我正在为express.js和postgresql db中的网站安全编码。现在我一直在阅读关于salting和hashing的内容，并且我已经使用crypto模块使用pdkdf2设置了代码，但是我的问题是我将如何在db中构建帐户表。如果我将创建一个登录角色，该角色将具有密码的MD5加密格式，该密码将是来自salt n hash过程的派生密钥。这会是一种保护措施吗？

将会有一个表格如下：UID（来自登录角色的ID），SALT，HASH。
同样也是loginrole。因此，在尝试进行身份验证时，代码将尝试以该角色登录，首先获取相关联的UID，生成salt n为密码提供了密码，并在数据库级别授权。

希望我有所帮助..

  var usrSalt = crypto.randomBytes（'128'）。toString（'base64'）; 
 // text，salt，iterations，keylen，callback 
 crypto.pbkdf2（usr，usrSalt，10000,512，function（err，derivedKey）{
 if（err）{console.log （err）;} 
 else {
 usr = derivedKey; 
 next（）; 
} 
}）; 
  

PS通过删除节点上的代码，pgcrypto模块是否会在同一场景中再次变得更好？ js。

解决方案 如果你无法避免完全处理密码。

很难弄清楚第二部分的含义，关于这是用于在数据库级别进行认证的。您通常使用您自己的用户名/密码进行应用程序级别身份验证，或在PostgreSQL中创建真实用户，并让PostgreSQL在您创建连接时仅通过将密码和用户名传递给PostgreSQL对其进行身份验证。 / p>

有一种中间的方式，你可能会试图去解决。自己验证用户，然后使用 SET SESSION AUTHORIZATION 让PostgreSQL数据库会话成为该用户。这是一种专门的方法，而不是我大多数时候使用的方法。它主要用于连接沉闷者。

另见：

• 用于存储/检索PGP私钥和密码短语的安全方法？

I am coding up the security for a website in express.js and postgresql db. Now I have been reading about salting and hashing and I have the code set up with pdkdf2 using the crypto module, but my issue is how I will structure the account table in the db. What If i would create a login role which will have an MD5 encrypted format for the password, which password will be the derived key from the salt n hash "procedure". Would that be an overkill of protection?

There will be a table which will be as follows: UID (the ID from the login role), SALT , HASH. And also the loginrole.

So on a try for authentication, the code will try to login as that role, first by getting the assosiated UID, generating the salt n hashed password for the password provided and auth on a DB level.

Hope I am making some sense..

       var usrSalt = crypto.randomBytes('128').toString('base64');
       //text , salt ,iterations , keylen , callback
       crypto.pbkdf2(usr, usrSalt, 10000, 512, function (err, derivedKey) {
           if (err) { console.log(err); }
           else {
               usr = derivedKey;
               next();
           }
       });

P.S Would a pgcrypto module be better again in the same scenario, just by removing the code on node.js.

解决方案

Salting and hashing passwords is not overkill, it is the absolute minimum you should do if you cannot avoid dealing with passwords entirely.

It's hard to figure out what you mean with the second part, regarding this being used to auth on a DB level. You usually either do application level authentication using your own usernames/passwords, or you create real users in PostgreSQL and let PostgreSQL authenticate them by simply passing their password and username through to PostgreSQL when you create a connection.

There's an intermediate way, which you might be trying to get at. Authenticate the user yourself, then use SET SESSION AUTHORIZATION to have your PostgreSQL database session "become" that user. It's a bit of a specialized approach, and not one I tend to use most of the time. It is mostly used by connection poolers.

See also:

• Secure method for storing/retrieving a PGP private key and passphrase?

这篇关于使用salt n hash和postgresql中的登录角色登录详细信息安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！