所有用户的成员身份 SHA1 哈希值都不相同 [英] Membership SHA1 hash not the same for all users

问题描述

我有一个纯文本的用户表，并将其迁移到成员资格提供程序.

I have a user table that was in plain text and migrated it to Membership provider.

使用 ColdFusion(当前系统)，我设法对一个用户的密码(测试用户)进行哈希处理，并且完美匹配.但是现在后面的用户不匹配.我做错了什么.

Using ColdFusion (current system) I managed to HASH one user's password (test user) and it matched perfectly. But now the subsequent users do not match. What am I doing wrong.

<cfscript>
    theEncoding = "UTF-16LE";
    thePassword = "dtD3v310p3r!";
    base64Salt = "JZjdzUXREM0A7DPI3FV3iQ==";
    theSalt = charsetEncode( binaryDecode(base64Salt, "base64"), theEncoding );
    theHash = hash(theSalt & thePassword, "SHA1", theEncoding);

    // hash always returns hex. convert it to base64 so it matches DNN
    theBase64Hash = binaryEncode(binaryDecode(theHash, "hex"), "base64");
    WriteOutput("<br />theBase64Hash= "& theBase64Hash &"<br/>");
    WriteOutput("DBPassword= 5khDDMmoFtW+j99r/whE/TjyIUo= <br />");


    theEncoding = "UTF-16LE";
    thePassword = "DT!@12";
    base64Salt = "+muo6gAmjvvyy5doTdjyaA==";
    theSalt = charsetEncode( binaryDecode(base64Salt, "base64"), theEncoding );
    theHash = hash(theSalt & thePassword, "SHA1", theEncoding);

    // hash always returns hex. convert it to base64 so it matches DNN
    theBase64Hash = binaryEncode(binaryDecode(theHash, "hex"), "base64");
    WriteOutput("<br />theBase64Hash= "& theBase64Hash &"<br/>");
    WriteOutput("DBPassword= nfcqQBgeAm0Dp1oGZI0O70Y6DvA= <br />");
</cfscript>

第一个工作 100%.但第二个没有.第二个产生 86SrPKXW5xywDYoC8MVy0q259sQ=

The first one works 100%. But the second one doesn't. The second one produces a Hash value of 86SrPKXW5xywDYoC8MVy0q259sQ=

推荐答案

嗯.. 我认为当连接两个值时可能会出现问题.散列实际上应该使用字节数组，像加密版本，但不幸的是CF9的hash() 函数不支持它 - 只有字符串.(虽然文档很少，但在 CF11 中得到支持).我不确定是否有针对 CF9 的纯 CF 解决方法.但是，同时您可以直接使用 java:

Hm.. I think something may be going wrong when the two values are concatenated. The hashing should really use a byte array, like with the encrypt version, but unfortunately CF9's hash() function does not support it - only strings. (Though poorly documented, it is supported in CF11). I am not sure if there is a pure CF work-around for CF9. However, in the mean time you could use java directly:

<cfscript>
    thePassword = "DT!@12";
    base64Salt = "+muo6gAmjvvyy5doTdjyaA==";

    // extract bytes of the salt and password
    saltBytes = binaryDecode(base64Salt, "base64");
    passBytes = charsetDecode(thePassword, "UTF-16LE" );

    // next combine the bytes. note, the returned arrays are immutable, 
    // so we cannot use the standard CF tricks to merge them    
    ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
    dataBytes = ArrayUtils.addAll( saltBytes, passBytes );

    // hash binary using java
    MessageDigest = createObject("java", "java.security.MessageDigest").getInstance("SHA-1");
    MessageDigest.update(dataBytes);    
    theBase64Hash = binaryEncode(MessageDigest.digest(), "base64");

    WriteOutput("<br />theBase64Hash= "& theBase64Hash &"<br/>");
    WriteOutput("DBPassword= nfcqQBgeAm0Dp1oGZI0O70Y6DvA= <br />");
</cfscript>

更新:

进一步环顾四周，我认为没有纯 CF 解决方案.UTF-16LE 编码只是问题的一部分.另一个问题是 DNN 单独解码每个字符串，这可能会产生与将两者解码为 单个字符串时不同的字节(参见下面的比较).它适用于您的第二个密码，这就是最终哈希值不同的原因.由于 hash 不接受字节数组，我认为它不是适合这项工作的工具.MessageDigest 是要走的路.

After looking around further, I do not think there is pure CF solution. The UTF-16LE encoding is only part of the problem. The other issue is that DNN decodes each string separately, which may produce different bytes than when both are decoded as a single string (see comparison below). It does in the case of your second password, which is why the final hash is different. Since hash will not accept byte arrays, I do not think it is the right tool for this job. MessageDigest is the way to go.

字节数组比较

           old|   new | 
   1 |     -6 |    -6 | 
   2 |    107 |   107 | 
   3 |    -88 |   -88 | 
   4 |    -22 |   -22 | 
   5 |      0 |     0 | 
   6 |     38 |    38 | 
   7 |   -114 |  -114 | 
   8 |     -5 |    -5 | 
   9 |    -14 |   -14 | 
  10 |    -53 |   -53 | 
  11 |   -105 |  -105 | 
  12 |    104 |   104 | 
  13 |     -3 |    77 | **
  14 |     -1 |   -40 | **
  15 |     68 |   -14 | **
  16 |      0 |   104 | **
  17 |     84 |    68 | **
  18 |      0 |     0 | 
  19 |     33 |    84 | **
  20 |      0 |     0 | 
  21 |     64 |    33 | **
  22 |      0 |     0 | 
  23 |     49 |    64 | **
  24 |      0 |     0 | 
  25 |     50 |    49 | **
  26 |      0 |     0 | 
  27 |        |    50 | **
  28 |        |     0 | **

• 旧 => charsetDecode(theSalt & thePassword, "UTF-16LE")
• 新 => ArrayUtils.addAll( saltBytes, passBytes );
• old => charsetDecode( theSalt & thePassword, "UTF-16LE")
• new => ArrayUtils.addAll( saltBytes, passBytes );

这篇关于所有用户的成员身份 SHA1 哈希值都不相同的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！