为什么 BCrypt 生成的哈希是不确定的 [英] Why is the hash generated by BCrypt non-deterministic

问题描述

我过去曾使用过许多不同的哈希算法，我的印象是它们都是确定性的.

I've worked with a number of different hashing algorithms in the past and I was under the impression that they were all deterministic.

我刚刚将我的一些代码切换为使用 BCrypt.Net，我不得不承认当我所有的比较测试都失败时，我完全被难住了.

I just switched some of my code to use BCrypt.Net and I have to admit I was completely stumped when all of my comparison tests failed.

在我的测试中寻找错误令人尴尬的时间后，我意识到我认为哈希是确定性的假设是完全错误的.有一个验证方法可以工作，修复代码很容易，但我想更好地了解发生了什么.

After looking for errors in my test for an embarrassing amount of time I realized that my assumption that the hashes are deterministic was completely incorrect. There is a verify method which works and it was easy enough to fix the code but I'd like to understand what is going on a little bit better.

是在内部对值进行加盐处理还是其他原因?

Is it salting the values internally or is something else going on?

• 请注意，我是在我的真实代码中加盐 - 这只是一个测试

推荐答案

是否在内部对值进行了加盐

Is it salting the values internally

是的.bcrypt 不仅仅是一个原始散列函数，它包括盐和一些其他位，允许在没有额外输入的情况下验证散列:

Yep. bcrypt is more than a raw hash function, it includes the salt and a few other bits to allow the hash to be validated without extra input:

$2a$12$q6r.MpvzPrUszrWLgaRdlOs04kPcjk0syCDelrzES9O8.UNlHON.u
 ^^ ^^ ^^^^^^^^^^^^^^^^^^^^^^
 |  |  \- salt
 |  \---- work factor
 \------- format

您使用的 API 不会公开它，因为您通常不需要操作盐，但它就在那里，您不需要添加自己的.

The API you're using doesn't expose it as you don't generally need to manipulate the salt, but it's there and you don't need to add your own.

这篇关于为什么 BCrypt 生成的哈希是不确定的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！