所有用户的成员身份 SHA1 哈希值都不相同 [英] Membership SHA1 hash not the same for all users
问题描述
我有一个纯文本的用户表,并将其迁移到成员资格提供程序.
I have a user table that was in plain text and migrated it to Membership provider.
使用 ColdFusion(当前系统),我设法对一个用户的密码(测试用户)进行哈希处理,并且完美匹配.但是现在后面的用户不匹配.我做错了什么.
Using ColdFusion (current system) I managed to HASH one user's password (test user) and it matched perfectly. But now the subsequent users do not match. What am I doing wrong.
<cfscript>
theEncoding = "UTF-16LE";
thePassword = "dtD3v310p3r!";
base64Salt = "JZjdzUXREM0A7DPI3FV3iQ==";
theSalt = charsetEncode( binaryDecode(base64Salt, "base64"), theEncoding );
theHash = hash(theSalt & thePassword, "SHA1", theEncoding);
// hash always returns hex. convert it to base64 so it matches DNN
theBase64Hash = binaryEncode(binaryDecode(theHash, "hex"), "base64");
WriteOutput("<br />theBase64Hash= "& theBase64Hash &"<br/>");
WriteOutput("DBPassword= 5khDDMmoFtW+j99r/whE/TjyIUo= <br />");
theEncoding = "UTF-16LE";
thePassword = "DT!@12";
base64Salt = "+muo6gAmjvvyy5doTdjyaA==";
theSalt = charsetEncode( binaryDecode(base64Salt, "base64"), theEncoding );
theHash = hash(theSalt & thePassword, "SHA1", theEncoding);
// hash always returns hex. convert it to base64 so it matches DNN
theBase64Hash = binaryEncode(binaryDecode(theHash, "hex"), "base64");
WriteOutput("<br />theBase64Hash= "& theBase64Hash &"<br/>");
WriteOutput("DBPassword= nfcqQBgeAm0Dp1oGZI0O70Y6DvA= <br />");
</cfscript>
第一个工作 100%.但第二个没有.第二个产生 86SrPKXW5xywDYoC8MVy0q259sQ=
The first one works 100%. But the second one doesn't.
The second one produces a Hash value of 86SrPKXW5xywDYoC8MVy0q259sQ=
推荐答案
嗯.. 我认为当连接两个值时可能会出现问题.散列实际上应该使用字节数组,像加密版本,但不幸的是CF9的hash() 函数不支持它 - 只有字符串.(虽然文档很少,但在 CF11 中得到支持).我不确定是否有针对 CF9 的纯 CF 解决方法.但是,同时您可以直接使用 java:
Hm.. I think something may be going wrong when the two values are concatenated. The hashing should really use a byte array, like with the encrypt version, but unfortunately CF9's hash() function does not support it - only strings. (Though poorly documented, it is supported in CF11). I am not sure if there is a pure CF work-around for CF9. However, in the mean time you could use java directly:
<cfscript>
thePassword = "DT!@12";
base64Salt = "+muo6gAmjvvyy5doTdjyaA==";
// extract bytes of the salt and password
saltBytes = binaryDecode(base64Salt, "base64");
passBytes = charsetDecode(thePassword, "UTF-16LE" );
// next combine the bytes. note, the returned arrays are immutable,
// so we cannot use the standard CF tricks to merge them
ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
dataBytes = ArrayUtils.addAll( saltBytes, passBytes );
// hash binary using java
MessageDigest = createObject("java", "java.security.MessageDigest").getInstance("SHA-1");
MessageDigest.update(dataBytes);
theBase64Hash = binaryEncode(MessageDigest.digest(), "base64");
WriteOutput("<br />theBase64Hash= "& theBase64Hash &"<br/>");
WriteOutput("DBPassword= nfcqQBgeAm0Dp1oGZI0O70Y6DvA= <br />");
</cfscript>
更新:
进一步环顾四周,我认为没有纯 CF 解决方案.UTF-16LE 编码只是问题的一部分.另一个问题是 DNN 单独解码每个字符串,这可能会产生与将两者解码为 单个字符串时不同的字节(参见下面的比较).它适用于您的第二个密码,这就是最终哈希值不同的原因.由于 hash
不接受字节数组,我认为它不是适合这项工作的工具.MessageDigest
是要走的路.
After looking around further, I do not think there is pure CF solution. The UTF-16LE encoding is only part of the problem. The other issue is that DNN decodes each string separately, which may produce different bytes than when both are decoded as a single string (see comparison below). It does in the case of your second password, which is why the final hash is different. Since hash
will not accept byte arrays, I do not think it is the right tool for this job. MessageDigest
is the way to go.
字节数组比较
old| new |
1 | -6 | -6 |
2 | 107 | 107 |
3 | -88 | -88 |
4 | -22 | -22 |
5 | 0 | 0 |
6 | 38 | 38 |
7 | -114 | -114 |
8 | -5 | -5 |
9 | -14 | -14 |
10 | -53 | -53 |
11 | -105 | -105 |
12 | 104 | 104 |
13 | -3 | 77 | **
14 | -1 | -40 | **
15 | 68 | -14 | **
16 | 0 | 104 | **
17 | 84 | 68 | **
18 | 0 | 0 |
19 | 33 | 84 | **
20 | 0 | 0 |
21 | 64 | 33 | **
22 | 0 | 0 |
23 | 49 | 64 | **
24 | 0 | 0 |
25 | 50 | 49 | **
26 | 0 | 0 |
27 | | 50 | **
28 | | 0 | **
- 旧 => charsetDecode(theSalt & thePassword, "UTF-16LE")
- 新 => ArrayUtils.addAll( saltBytes, passBytes );
- old => charsetDecode( theSalt & thePassword, "UTF-16LE")
- new => ArrayUtils.addAll( saltBytes, passBytes );
这篇关于所有用户的成员身份 SHA1 哈希值都不相同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!