hash()vs. crypt()函数比较 [英] hash() vs. crypt() function comparison
问题描述
hash()
和一个 crypt()
函数,似乎做了相同的对于SHA512) hash()
更新,似乎支持更多的哈希算法比隐窝()
。还有其他的区别我应该知道/关心?
编辑:
function generatePasswordHash($ password){
$ salt = base64_encode(mcrypt_create_iv(8));
$ calculatedPasswordHash = crypt($ password,'$ 1 $'。$ salt。'$');
return $ calculatePasswordHash;
}
结果看起来像 $ 1 $ Qh6ByGJ9 $ zLn3yq62egvmc9D7SzA2u。
这里我的密码检查功能:
function checkLoginData($ username,$ password){
global $ db;
$ sql =SELECT * FROM users WHERE username =:username;
$ result = $ db-> ExecuteQuery($ sql,array(username=> $ username));
if(!empty($ result)){
$ result = $ result [0];
$ savedPasswordHash = $ result ['password'];
$ splititted = explode($,$ savedPasswordHash);
$ salt = $ splititted [2];
$ calculatedPasswordHash = crypt($ password,'$ 1 $'。$ salt。'$');
if($ savedPasswordHash === $ calculatePasswordHash){
return true;
}
}
return false;
}
使用哈希
用于散列,例如在完整性检查中。它直接使用指定的哈希算法。
crypt
是一个专用功能。它用于密码散列和密钥推导。你需要传递盐,这间接地决定了使用的哈希方案。即使您选择 CRYPT_SHA512
这不是简单的SHA512。它是使用SHA512作为构建块的关键推导函数。特别是这样一种方案是故意缓慢的(凶猛的攻击),并以安全的方式结合盐和密码。
对于日志系统中的密码散列, crypt
显然是正确的选择。
I'm currently implementing a login system. I want to store the password and the salt in a database. Now I found out that there is a hash()
and a crypt()
function which seems to do the same (valid for SHA512).
hash()
is newer and seems to support more hashing alogrithms than crypt()
. Or there any other differences I should know/care about?
Edit:
function generatePasswordHash($password){
$salt = base64_encode(mcrypt_create_iv(8));
$calculatedPasswordHash = crypt($password, '$1$' . $salt . '$');
return $calculatedPasswordHash;
}
The result looks like $1$Qh6ByGJ9$zLn3yq62egvmc9D7SzA2u.
Here my password checking function:
function checkLoginData($username, $password){
global $db;
$sql = "SELECT * FROM users WHERE username = :username";
$result = $db->ExecuteQuery($sql, array("username"=>$username));
if(!empty($result)){
$result = $result[0];
$savedPasswordHash = $result['password'];
$splitted = explode("$", $savedPasswordHash);
$salt = $splitted[2];
$calculatedPasswordHash = crypt($password, '$1$' . $salt . '$');
if($savedPasswordHash === $calculatedPasswordHash){
return true;
}
}
return false;
}
Use hash
for hashing, for example in integrity checks. It directly uses the specified hashing algorithm.
crypt
is a special purpose function. It's used for password hashing and key derivation. You'll need to pass in a salt, which indirectly determines the hashing scheme used. Even if you choose CRYPT_SHA512
this isn't plain SHA512. It's a key derivation function that uses SHA512 as building block. In particular such a scheme is deliberately slow(hider brute-force attacks) and combines salt and password in a secure way.
For password hashing in a log system, crypt
is clearly the right choice.
这篇关于hash()vs. crypt()函数比较的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!