如何在本地正确存储密码 [英] How to properly store password locally

问题描述

我一直在 Rfc2898DeriveBytes .这是他们提供的示例加密代码.

I've been reading this article from MSDN on Rfc2898DeriveBytes. Here is the sample encryption code they provide.

string pwd1 = passwordargs[0];
// Create a byte array to hold the random value. 
byte[] salt1 = new byte[8];
using (RNGCryptoServiceProvider rngCsp = ne RNGCryptoServiceProvider())
{
    // Fill the array with a random value.
    rngCsp.GetBytes(salt1);
}

//data1 can be a string or contents of a file.
string data1 = "Some test data";
//The default iteration count is 1000 so the two methods use the same iteration count.
int myIterations = 1000;
try
{
    Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(pwd1,salt1,myIterations);
    Rfc2898DeriveBytes k2 = new Rfc2898DeriveBytes(pwd1, salt1);
    // Encrypt the data.
    TripleDES encAlg = TripleDES.Create();
    encAlg.Key = k1.GetBytes(16);
    MemoryStream encryptionStream = new MemoryStream();
    CryptoStream encrypt = newCryptoStream(encryptionStream, encAlg.CreateEncryptor(), CryptoStreamMode.Write);
    byte[] utfD1 = new System.Text.UTF8Encoding(false).GetBytes(data1);

    encrypt.Write(utfD1, 0, utfD1.Length);
    encrypt.FlushFinalBlock();
    encrypt.Close();
    byte[] edata1 = encryptionStream.ToArray();
    k1.Reset();

我的问题是，如何正确地将散列数据读入/写入文本文件?

My question is, how would I properly Read/Write the hashed data to/from a text file?

我的主要目标是做开发人员正在做的事情.我需要在本地存储密码.当我的应用程序提示用户输入密码时，用户将输入密码，然后我的应用程序将从文本文件中读取并验证用户输入的密码是否确实正确.我将如何去做呢?

My main goal is to do what this developer is doing. I need to store a password locally. When my application prompts the user for the password, the user will enter the password, then my application will read from the text file and verify if the password that the user entered is indeed correct. How would I go about doing it?

推荐答案

通常存储密码的哈希，然后在用户输入密码时，根据输入的密码计算哈希并将其与存储的哈希进行比较-说，仅仅散列通常是不够的(从安全角度来看)，您应该使用诸如 PKBDF2 之类的功能(基于密码的密钥派生功能2).这是一篇文章，涵盖了所有这些信息，以及更详尽的示例代码(页面底部):

You typically store the hash of the password, then when user enters password, you compute hash over the entered password and compare it with the hash which was stored - that said, just hashing is usually not enough (from security point of view) and you should use a function such as PKBDF2 (Password-Based Key Derivation Function 2) instead. Here is article covering all that information in more elaborate way as well as sample code (bottom of the page): http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right

这里是 codereview 的链接，我想它是与上述相同的实现文章.

Here is a link to codereview, which I guess refers to the same implementation as above article.

这篇关于如何在本地正确存储密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！