System.Web.Helpers.Crypto-盐在哪里? [英] System.Web.Helpers.Crypto - Where's the salt?
问题描述
过去,在处理密码时,我总是将盐和哈希密码分别存储在数据存储区中。今天,我正在寻求更新一些旧代码以使用RFC 2898哈希值。我从 System.Web.Helpers
遇到了 Crypto.Hash
方法。看起来这些将为我完成大部分繁重的工作。有 GenerateSalt()
, HashPassword()
和 VerifyHashedPassword()
方法。 HashPassword()
和 VerifyHashedPassword()
方法的取值不加盐。 HashPassword()
方法的MSDN文档说:
In the past when dealing with passwords I've always stored a salt and a hashed password separately in my data store. Today I was looking to update some legacy code to use a RFC 2898 hash value. I came across the Crypto.Hash
methods from System.Web.Helpers
. It looks like these will do most of the heavy lifting for me. There are GenerateSalt()
, HashPassword()
, and VerifyHashedPassword()
methods. The HashPassword()
and VerifyHashedPassword()
methods don't take a salt value. The MSDN documentation for HashPassword()
method says:
生成的哈希字节流的格式为{0x00, salt,subkey},在返回之前是base-64编码的。
"The format of the generated hash bytestream is {0x00, salt, subkey}, which is base-64 encoded before it is returned."
我需要担心盐吗?文档似乎说会自动生成盐并将其存储在以64为底的编码值中?这样对吗?我需要存储的是从 HashPassword()
返回的字符串?
Do I need to worry about a salt? The documentation seems to say that a salt will be generated automatically and stored in the base-64 encoded value? Is this correct? All I need to store is the string returned from HashPassword()
?
推荐答案
< h1>答案
所有密码都需要加盐,以便安全地对它们进行哈希处理。但是,在这种情况下,您是正确的。 System.Web.Helpers.Crypto会为您创建盐。 您不需要创建一个。它存储在Crypto.HashPassword()返回的字符串中。
Answer
All passwords need to be salted in order to hash them securely. In this case, however, you are correct. System.Web.Helpers.Crypto takes care of creating a salt for you. You don't need to create one. It is stored in the string returned by Crypto.HashPassword().
所有您需要做的就是这样。
All you need to do is something like this.
using System.Web.Helpers;
public void SavePassword(string unhashedPassword)
{
string hashedPassword = Crypto.HashPassword(unhashedPassword);
//Save hashedPassword somewhere that you can retrieve it again.
//Don't save unhashedPassword! Just let it go.
}
public bool CheckPassword(string unhashedPassword)
{
string savedHashedPassword = //get hashedPassword from where you saved it
return Crypto.VerifyHashedPassword(savedHashedPassword, unhashedPassword)
}