确定性散列函数可以容易解密吗? [英] Can a deterministic hashing function be easily decrypted?
问题描述
可能的重复:
是否可以解密md5哈希?
是否可以撤销sha1?
我问过这个问题:
使用HUGE电子表格
,得到了一个很好的答案,我按照建议。我用这个:
http://splinter.com.au/blog/? p = 86
,我在excel电子表格的列中散布了约30万个不同的元素
= SHA1HASH('快速的棕色狐狸跳过懒狗')
你会回来:
code> 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
你不能倒退吗?
我说如果每一次都以相同的方式加密相同的文本,有什么意义?
如果你知道哈希算法,可以向后退吗?
你能否简单地向我解释一下哈希是如何工作的?你如何将一个20gb转换成一个40个字符的散列?要花20分钟的硬盘花费很长时间?
根据您尝试隐藏社会安全号码。如果有人知道您正在SSN上使用SHA1HASH创建唯一的标识符,那么可以生成所有SSN号码的快速列表,SHA1HASH,然后比较自动将该人员的SSN记录在记录中。更糟糕的是,它们可以在哈希查找表中预先生成所有这些,并且对于每个SSN具有1个哈希的密钥。这被称为哈希查询表,更复杂的表单称为彩虹表。
这就是为什么哈希的第二个功能被发明了。叫做盐渍盐度基本上是这样的您创建盐,然后使用盐修改您的数据。
例如说你有SSN 123-45-6789。你可以用字符串MOONBEAM来加盐。你的新的哈希字符串是123-45-6789MOONBEAM
现在,即使有人知道你正在使用SSN来生成你唯一的ID,不知道您将要使用的盐,因此无法通过预先编排所有SSN列表并与您的ID进行比较来获得原始SSN。然而,您可以随时使用用户的SSN,使用salt,并重新打开SSN + SALT以查看用户SSN是否与其ID相匹配。
最后,如果你只需要一个盐就可以使用,并保持秘密,而不是看到盐,并通过运行SSN增量+盐1亿次并选择匹配来生成相应的SSN,他们必须做更多的工作检索SSN。这是因为1亿SSN数量的熵相对较低。 (10 ^ 9组合)。通过添加你的盐并保持秘密,而不是只运行
SHA1HASH(111-11-1111) - >检查哈希匹配
SHA1HASH(111-11-1112) - >检查哈希匹配
SHA1HASH(111-11-1113) - >检查哈希匹配
他们必须运行
SHA1HASH(111-11-1111a) - >检查哈希匹配
SHA1HASH(111-11-1111b) - >检查哈希匹配
SHA1HASH(111-11-1111c) - >检查哈希匹配
...
SHA1HASH(111-11-1111azdfg) - >检查哈希匹配
SHA1HASH(111-11-1111azdfh) - >检查哈希匹配
....
SHA1HASH(111-11-1111zzzzzzzzzzzzzzzz) - >检查哈希匹配
SHA1HASH(111-11-1112a) - >检查哈希匹配
SHA1HASH(111-11-1112b) - >检查哈希匹配
..等等,直到他们终于到达
SHA1HASH(123-45-6789MOONBEAM) - >检查哈希匹配
在这一点上,他们终于设法破解了SSN + SALT
他们甚至不知道你的盐是多少个字符
这就是10 ^(你的盐的字符数)倍增工作,他们只是为了得到1 SSN,更不用说得到整个表。
Possible Duplicates:
Is it possible to decrypt md5 hashes?
Is it possible to reverse a sha1?
i asked this question: working with HUGE spreadsheet
and got a great answer and i followed the advice. i used this: http://splinter.com.au/blog/?p=86
and i hashed about 300,000 different elements in a column in an excel spreadsheet
since you can do:
=SHA1HASH('The quick brown fox jumps over the lazy dog')
And you'd get back:
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
couldnt you go backwards as well?
im saying if it encrypts the same text the same way every single time, what is the point?
if you do know the hash algorithm, is it possible to go backwards?
can you please explain to me very simply how does hashing work? how can you convert a 20gb to a 40 character hash? does it take a long time to hash a 20gb hardrive?
I see your point based on the fact that you are trying to hide Social security numbers. If someone knows you are using an SHA1HASH on the SSN to create a unique identifier, then can just generate a quick list of all SSN numbers, SHA1HASH them, then compare to automatically have the SSN of the person in the record. Even worse, they can pregenerate all these in a hash lookup table, and have a key of 1 hash for every SSN. This is called a hash lookup table, and more complex forms are called rainbow tables.
This is why a second feature of hashing was invented. It is called salting. Salting is basically this; you create a salt, then modify your data using the salt. For instance, say you had the SSN 123-45-6789 . You could salt it with the string "MOONBEAM". Your new string for hashing is "123-45-6789MOONBEAM"
Now, even if someone knows that you are hashing the SSN to generate your unique ID, they still don't know the salt you will be using, and so are unable to derive the original SSN by pre-hashing a list of all SSNs and comparing to your ID. You however, can always take the user's SSN, use the salt, and rehash the SSN+SALT to see if the user SSN matches up with their ID.
Finally, if you use just 1 salt for everything, and keep it secret, instead of being able to see the salt, and generate the corresponding SSN by running SSN increments + salt 100 million times and picking the match, they have to do a lot more work to retrieve SSN. This is because the 100 million SSN numbers have a relatively low amount of entropy. (10^9 combinations). By adding your salt and keeping it secret, instead of just running
SHA1HASH(111-11-1111) -> check hash match
SHA1HASH(111-11-1112) -> check hash match
SHA1HASH(111-11-1113) -> check hash match
They would have to run
SHA1HASH(111-11-1111a) -> check hash match
SHA1HASH(111-11-1111b) -> check hash match
SHA1HASH(111-11-1111c) -> check hash match
...
SHA1HASH(111-11-1111azdfg) -> check hash match
SHA1HASH(111-11-1111azdfh) -> check hash match
....
SHA1HASH(111-11-1111zzzzzzzzzzzzzzzz) -> check hash match
SHA1HASH(111-11-1112a) -> check hash match
SHA1HASH(111-11-1112b) -> check hash match
.. and so on until they finally get to
SHA1HASH(123-45-6789MOONBEAM) -> check hash match
at which point they finally did manage to crack the SSN + SALT
They don't even know how many characters long your salt is So that is 10^(number of characters of your salt) times more work for them to do just to get 1 SSN, let alone get the whole table.
这篇关于确定性散列函数可以容易解密吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
