C# 中的哈希和盐密码 [英] Hash and salt passwords in C#

问题描述

我刚刚浏览了 DavidHayden 关于 散列用户密码.

I was just going through one of DavidHayden's articles on Hashing User Passwords.

我真的无法理解他想要达到的目标.

Really I can't get what he is trying to achieve.

这是他的代码:

private static string CreateSalt(int size)
{
    //Generate a cryptographic random number.
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
    byte[] buff = new byte[size];
    rng.GetBytes(buff);

    // Return a Base64 string representation of the random number.
    return Convert.ToBase64String(buff);
}

private static string CreatePasswordHash(string pwd, string salt)
{
    string saltAndPwd = String.Concat(pwd, salt);
    string hashedPwd =
        FormsAuthentication.HashPasswordForStoringInConfigFile(
        saltAndPwd, "sha1");
    return hashedPwd;
}

是否有其他 C# 方法可以对密码进行散列并为其添加盐?

Is there any other C# method for hashing passwords and adding salt to it?

推荐答案

实际上这有点奇怪，字符串转换 - 成员资格提供商将它们放入配置文件.哈希和盐是二进制 blob，您不需要将它们转换为字符串，除非您想将它们放入文本文件中.

Actually this is kind of strange, with the string conversions - which the membership provider does to put them into config files. Hashes and salts are binary blobs, you don't need to convert them to strings unless you want to put them into text files.

在我的书中，开始 ASP.NET安全，(哦，终于有借口拉皮条了)我做了以下

In my book, Beginning ASP.NET Security, (oh finally, an excuse to pimp the book) I do the following

static byte[] GenerateSaltedHash(byte[] plainText, byte[] salt)
{
  HashAlgorithm algorithm = new SHA256Managed();

  byte[] plainTextWithSaltBytes = 
    new byte[plainText.Length + salt.Length];

  for (int i = 0; i < plainText.Length; i++)
  {
    plainTextWithSaltBytes[i] = plainText[i];
  }
  for (int i = 0; i < salt.Length; i++)
  {
    plainTextWithSaltBytes[plainText.Length + i] = salt[i];
  }

  return algorithm.ComputeHash(plainTextWithSaltBytes);            
}

盐的生成就像问题中的例子.您可以使用 Encoding.UTF8.GetBytes(string) 将文本转换为字节数组.如果您必须将哈希转换为其字符串表示形式，您可以使用 Convert.ToBase64String 和 Convert.FromBase64String 将其转换回来.

The salt generation is as the example in the question. You can convert text to byte arrays using Encoding.UTF8.GetBytes(string). If you must convert a hash to its string representation you can use Convert.ToBase64String and Convert.FromBase64String to convert it back.

您应该注意，您不能在字节数组上使用相等运算符，它会检查引用，因此您应该简单地遍历两个数组，从而检查每个字节

You should note that you cannot use the equality operator on byte arrays, it checks references and so you should simply loop through both arrays checking each byte thus

public static bool CompareByteArrays(byte[] array1, byte[] array2)
{
  if (array1.Length != array2.Length)
  {
    return false;
  }

  for (int i = 0; i < array1.Length; i++)
  {
    if (array1[i] != array2[i])
    {
      return false;
    }
  }

  return true;
}

始终为每个密码使用一个新的盐.盐不必保密，可以与哈希本身一起存储.

Always use a new salt per password. Salts do not have to be kept secret and can be stored alongside the hash itself.

这篇关于C# 中的哈希和盐密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！