如何在PHP应用程序中出售bcrypt(我应该这样做)? [英] How can I vendorize bcrypt in a PHP application (and should I)?

问题描述

我正在为一个相对成熟的开源PHP项目做贡献.最近，我发现它将密码存储为纯MD5哈希，这对我来说很麻烦.我认为如果要修复它，我也应该做正确的事(tm)，所以我想使用bcrypt.

首先，我对其他语言的发现: bcrypt-ruby 似乎使用的是原始语言来自OpenBSD或 jBCrypt 的Java代码的C代码. py-bcrypt 是围绕BSD代码的精简包装. BCrypt.net 是 jBCrypt 的直接端口.

现在，PHP本身在 the加密功能.但是，5.3之前的版本需要系统本身的支持，通常由 crypt_blowfish 提供. phpass 相同，建议安装PHP 5.3或解决方案

我对PHP的了解不足是否使我受益匪浅?我真的可以使用已经创建的实现之一吗?

很遗憾，您是正确的.在5.3.0之前的版本中，PHP默认不支持bcrypt.相反，它依赖于操作系统的支持(请检查CRYPT_BLOWFISH常量).正如您所指出的，在这种情况下， Suhosin 是一个选项.

我应该只创建一个简单的循环函数，以重复多次调用sha1()或md5()吗?

关于密码学的最佳建议是不要自己动手".重复呼叫sha1()或md5() 可能会或可能不会提高安全性.

另一方面，bcrypt的作者在本文上解释了他们的设计决定.

I am contributing to a relatively mature open-source PHP project. Recently, I discovered that it stores passwords as plain MD5 hashes, which is quite bothersome to me. I figured that if I was going to fix it, I might as well Do It Right(tm), so I wanted to use bcrypt.

First, what I have found for other languages: bcrypt-ruby appears to use either the original C code from OpenBSD or jBCrypt's java code. py-bcrypt is a thin wrapper around the BSD code. BCrypt.net is a direct port of jBCrypt.

Now, PHP itself supports bcrypt (albeit, misleadingly called simply 'blowfish') in the crypt function. However, versions prior to 5.3 require support on the system itself, generally provided by crypt_blowfish. phpass is the same, and recommends installing either PHP 5.3 or Suhosin.

Since many users of the application use standard shared hosting, I don't want to require any special configuration of the server. I was hoping to just steal the code from PHP's 5.3 release, but it is in C, and (from the small bit of reading I've just done) I cannot require the use of a C-extension for the project's users.

I thought of just creating a pure-PHP port of bcrypt, but looking at the source of jBCrypt, I am not sure that I should, given that I'm not incredibly familiar with either PHP or blowfish, and a mistake here could be simultaneously dangerous and difficult to detect in the first place.

So, I present to you two (multipart) questions:

1. Is my lack of PHP knowledge getting the best of me? Can I really use one of the already-created implementations?
2. Should I instead just create a simple loooping function that calls sha1() or md5() repeatedly for some configurable number of times?

解决方案

Is my lack of PHP knowledge getting the best of me? Can I really use one of the already-created implementations?

Unfortunately, you are correct. Prior to 5.3.0 PHP didn't support bcrypt by default. Instead, it relied on the OS's support (check the CRYPT_BLOWFISH constant). As you've pointed out Suhosin is an option in that case.

Should I instead just create a simple loooping function that calls sha1() or md5() repeatedly for some configurable number of times?

The best advice when it comes to cryptography is "don't roll your own." Repeated calls to sha1() or md5() may or may not increase security.

The authors of bcrypt on the other hand explain their design decisions on this paper.

这篇关于如何在PHP应用程序中出售bcrypt(我应该这样做)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！