腌制和储存盐的最佳方法是什么? [英] What is best possible way of salting and storing salt?
问题描述
我读过关于密码加盐的文章,但这听起来可能有点奇怪.但是我如何储存和保护盐.例如,在多轮胎架构中,假设我使用客户端机器的 GUID 生成我的 salt,然后用户被限制在一台机器上,但如果我使用随机 salt,它必须存储在某个地方.几天前,我看到一个示例应用程序,其中每当创建新用户时在客户端系统上生成哈希和盐,然后将盐化密码和哈希传输到服务器,并将它们存储在 SQL 服务器中.但是,如果我遵循这种方法并且数据库被泄露,那么 X 人将可以使用每个密码的密码和盐值.那么,我应该再次加盐/加密密码并在服务器端接收加盐吗?腌制的最佳做法是什么?
I have read about password salting, but this might sound a little odd. But how do I store and secure the salt. For example in a multi tire architecture say I use the client machine’s GUID to generate my salt then the user gets restricted to a single machine but if I use random salt it has to be stored somewhere. Few days back I saw an sample application where the hash and the salt was generated on the client system whenever a new user was created and then the salted password and the hash is transmitted to the server where they are stored in SQL server. But if I follow this method and the database is compromised the passwords and the salt values for each password will be available to the X person. So, should I again salt/encrypt the passwords and received salt on server side? What is the best practice of salting?
推荐答案
将未加密的盐存储在哈希密码旁边的数据库中不是问题.
Storing the salt unencrypted in the database next to the hashed passwords is not a problem.
盐的用途不是保密.它的目的是使每个哈希(即随机)不同,并且足够长以击败 彩虹表的使用 当攻击者获得数据库时.
The purpose of the salt is not to be secret. It's purpose is to be different for each hash (i.e. random), and long enough to defeat the use of rainbow tables when an attacker gets his hands on the database.
edit @ZJR:即使盐完全公开,它们仍然会破坏彩虹表的好处.当你有一个盐和散列数据时,你能做的最好的逆转就是暴力破解(假设散列函数是加密安全的)
edit @ZJR: even if the salts were completely public, they would still defeat the benefit of rainbow tables. When you have a salt and hashed data, the best you can do to reverse it is brute force (provided that the hash function is cryptographically secure)
edit @n10i:请参阅维基百科文章了解 安全哈希函数.至于 salt 大小,流行的 bcrypt.gensalt() 实现使用 128 位.
edit @n10i: See the wikipedia article for secure hash function. As for the salt size, the popular bcrypt.gensalt() implementation uses 128 bit.
这篇关于腌制和储存盐的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
