Windows 商店应用程序中的密码散列 [英] Password hashing in Windows store app
问题描述
我正在为我的应用编写身份验证服务.客户端将通过 HTTP 连接到此身份验证服务以进行注册或连接.在他们建立连接后,他们将收到一个 sessionkey,他们可以使用加密的 TCP/UDP 数据包发送到辅助服务器.这仍然是 WIP,所以只是为了给你一个大的概览.
I am writing an authentication Service for my app. Clients will connect via HTTP to this Authentication service to register or connect. After they have connected, they will receive a sessionkey, that they can use the encrypt TCP / UDP packets send to a secondary server. That is still WIP so, just to give you a big-picture-overview.
服务器端,我使用 BCrypt 来散列传入的密码.并将其存储在数据库中.在服务器端,我还使用 BCrypts 验证方法通过存储的哈希检查任何传入的密码.所以这基本上有效.
Serverside, i use BCrypt to hash the incoming password. and store that in a database. Serverside, I also use BCrypts Verify method to check any incoming password with the stored hash. So that basically works.
但是,我自然不想通过网络传输未散列的密码.没有适用于 Windows 应用商店应用的 BCrypt,但我发现了一些 MSDN 示例代码,演示了如何使用适用于 Windows 应用商店应用的新加密 API 来散列字符串,如下所示:
However, i naturally dont want to transfer an unhashed password over the wire. There is no BCrypt for Windows Store apps, but I found some MSDN sample code demonstrating how to use the new Cryptography API for Windows Store apps to hash a string, like so:
public static string Hash(string password)
{
HashAlgorithmProvider provider =
HashAlgorithmProvider.OpenAlgorithm(HashAlgorithmNames.Sha512);
CryptographicHash hash = provider.CreateHash();
IBuffer buffer = CryptographicBuffer.ConvertStringToBinary(password, BinaryStringEncoding.Utf16BE);
hash.Append(buffer);
IBuffer hashedBuffer = hash.GetValueAndReset();
return CryptographicBuffer.EncodeToBase64String(hashedBuffer);
}
我计划让各种客户端连接到该服务,不仅是 Windows 商店应用程序(还有传统的 Windows 桌面应用程序).所以自然我想要一种"方式来散列密码客户端.
I plan to have various clients connecting to the service, not only windows store apps (also traditional Windows Desktop Apps). So naturally i want "one" way of hashing the password client side.
我需要关于我应该实现的其他安全机制的建议,如果使用 SHA512 散列客户端密码,如上面的代码所示,在将其传输到服务器时足够"(在存储之前再次散列和加盐).
I need advice on additional security mechanisms i should implement and if hashing the password clientside using SHA512, like demonstrated in the code above, is "enough" when transmitting it to the server (which again hashes and salts it before storing).
推荐答案
在没有 TLS 保护的情况下执行任何类型的身份验证都会给您带来漏洞.Bcrypt 服务器端可以为您提供有限的保护,防止对被盗数据库的攻击.然而,通过线路发送未受保护的(散列)密码应被视为存在安全风险.
Performing any kind of authentication without TLS protection leaves you with vulnerabilities. Bcrypt server side can give you limited protection against attacks on a stolen database. Sending (hashed) passwords unprotected over the line however should however be considered a security risk.
应该可以至少向客户端引入一个盐和一个工作因子.这些参数可以从服务器端检索,因为它们需要保持不变.然后你可以使用 brypt 客户端.您说它在 API 中不可用,但这不应该让您担心.Bcrypt 只是一种算法,网上会有它的实现.
It should be possible to introduce at least a salt and a work factor to the client side. These parameters could be retrieved from the server side as they need to remain constant. Then you could use brypt client side. You say that it isn't available in the API, but that should not concern you. Bcrypt is just an algorithm and there will be implementations of it available online.
攻击者(窃听者)仍然可以使用暴力攻击和字典攻击,但它们将更难实现,为具有中等强度密码的用户提供有限的保护(如果客户端代码可以信任).
Brute force attacks and dictionary attacks would still be available to an attacker (eavesdropper), but they would be harder to accomplish, giving you limited protection for the users with moderately strong passwords (if the client code can be trusted).
这篇关于Windows 商店应用程序中的密码散列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
