如何使用bcrypt / scrypt AppEngine上的Python? [英] How can I use bcrypt/scrypt on appengine for Python?
问题描述
我想要做的认证系统为我沿着 SUAS 的线应用程序,除了没有使用SHA256散列密码我倒要使用bcrypt 或scrypt。不幸的是这两个PY-bcrypt和scrypt为Python使用本机C,这是GAE不支持。
I want make an authentication system for my app along the lines of SUAS, except instead of using SHA256 for hashing passwords I'd like to use bcrypt or scrypt. Unfortunately both py-bcrypt and scrypt for python use native c, which is unsupported by GAE.
解决这个办法?
推荐答案
Scrypt和BCrypt都是非常处理器密集型(设计)。正因为如此,我非常怀疑任何纯Python实现将是足够快是安全的 - 也就是说,能够使用在合理的时间内量足够数量的轮散列。
Scrypt and BCrypt are both extremely processor-intensive (by design). Because of this, I very much doubt any pure-python implementation is going to be fast enough to be secure - that is, be able to hash using a sufficient number of rounds within a reasonable amount of time.
我个人可以证明这一点,我已经试过写一个纯Python BCrypt,这是的办法的有用太慢。在另一个答案说明中提到这个确切的缺陷的纯Python bcrypt执行的文档 - 提防使用它实际的安全性,它的轮必须设置得太低。唯一一次这样的实现将是速度不够快,正在pypy,这是不是你面临的形势。
I can personally attest to this, I've tried writing a pure-python BCrypt, and it was way too slow to be useful. The docs for the pure-python bcrypt implementation mentioned in another answer note this exact flaw - to beware of using it for actual security, it's rounds must be set too low. The only time such implementations will be fast enough is under pypy, which is not the situation you're faced with.
您想要去与基于可用的散列原始的象SHA-2是什么东西。这样沉重的计算位将仍然能够用C,即使在GAE。我建议你根据PBKDF2或SHA-512地穴的东西(注:这是的不的只是一个普通的SHA512哈希值)。算法的安全性是一样好,但纯Python实现将更加有效,因为他们可以利用 hashlib 来承担这个重任。
What you want to go with is something based on an available hash primitive like SHA-2. That way the heavy calculation bit will still be able to be written in C, even under GAE. I'd recommend something based on PBKDF2 or SHA-512-Crypt (note: this is not just a plain sha512 hash). The security of the algorithms is just as good, but pure-python implementations will be much more efficient, since they can leverage hashlib to do the heavy lifting.
href=\"http://packages.python.org/passlib\"> Passlib 的库可能在这种情况下,是有用的
The Passlib library might be useful in this case, it contains implementations of PBKDF2 and SHA-512-Crypt in pure python. (Disclaimer: I'm the author of that library). Another Python library with PBKDF2 support is Cryptacular.
这篇关于如何使用bcrypt / scrypt AppEngine上的Python?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
