双哈希安全 [英] Double hashing security

问题描述

我的第一个问题是，我听说对字符串进行了 2 次散列(例如 sha1(sha1(password)) )，因为第二个散列的长度是固定的，这是真的吗??

My first question is, I've heard that hashing the string 2 times (e.g. sha1(sha1(password)) ), because the second hash has a fixed length, is it true??

我的第二个问题是，哪个更安全?(var1 和 var2 是 2 个字符串):

My the second question is, which is safer? (var1 and var2 are 2 strings):

1. sha1(var1 + sha1(var2))
2. sha1(var1 + var2)

如果是第一个，性能成本是否值得?

If it is the 1st one, is it worth the performance cost?

推荐答案

通过对字符串进行两次散列，会增加发生冲突的风险，这在安全方面很糟糕.

By hashing the string twice, you are increasing the risk of collisions, which is bad security-wise.

不是无限量的输入导致 2¹²⁸ 个可能的输出，您将有 2¹²⁸ 个可能的输入导致可能少于 2¹²⁸ 输出.

Instead of having an infinite amount of inputs leading to 2¹²⁸ possible outputs, you will have 2¹²⁸ possible inputs leading to maybe less than 2¹²⁸ outputs.

在散列之前使用盐和胡椒至少使输入具有无限的可能性.散列两次会增加脚本的运行时间，并增加发生冲突的风险，除非您保持无限输入的来源.

Using salt and pepper before hashing at least keeps the input to infinite possibilities. Hashing twice increases the run time of your script, and increases the risk of collisions, unless you maintain the source of infinite input.

这篇关于双哈希安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！