加密,散列和密码问题,总noob? [英] Crypto, hashes and password questions, total noob?
问题描述
我已经阅读了关于这个主题的几个stackoverflow文章,特别是这个:
I've read several stackoverflow posts about this topic, particularly this one:
但我还有几个问题,我需要一些澄清,请让我知道如果以下陈述是真实的,并解释您的意见:
but I still have a few questions, I need some clarification, please let me know if the following statements are true and explain your comments:
-
如果有人可以访问您的数据库/数据,那么他们仍然必须弄清楚你的散列算法,你的数据依然会有些安全,这取决于你的算法?他们会有的是哈希和盐。
If someone has access to your database/data, then they would still have to figure out your hashing algorithm and your data would still be somewhat secure, depending on your algorithm? All they would have is the hash and the salt.
如果有人可以访问您的数据库/数据和源代码,那么似乎无论什么您的做法,您的哈希算法可以逆转设计,您唯一可以在您身边的算法将会如何复杂和耗时?
If someone has access to your database/data and your source code, then it seems like no matter what your do, your hashing algorithm can be reversed engineered, the only thing you would have on your side would be how complex and time consuming your algorithm is?
似乎最弱的环节是:您自己的系统是多么安全,谁有权访问?
It seems like the weakest link is: how secure your own systems are and who has access to it?
Lasse V. Karlsen ...提出了一个好点,如果你的数据被妥协,然后游戏结束...我的后续问题是:这些哈希试图防止什么类型的攻击?我已经看过彩虹表和字典攻击(暴力),但是这些攻击如何管理?
Lasse V. Karlsen ... brings up a good point, if your data is compromised then game over ... my follow up question is: what types of attacks are these hashes trying to protect against? I've read about rainbow table and dictionary attacks (brute force), but how are these attacks administered?
推荐答案
您的问题是使用密码作为身份验证机制,以及如何使用散列将这些密码安全地存储在数据库中。您可能已经知道目标是能够验证密码,而不存储这些密码我清楚数据库中的文本。在这种情况下,让我尝试回答你的每一个问题:
You question is about using passwords as an authentication mechanism and how to securely store these passwords in a database using a hash. As you probably already know the goal is to be able to verify passwords without storing these passwords i clear text in the database. In this context let me try to answer each of your questions:
如果有人访问您的数据库/数据,那么他们仍然会找出你的散列算法,你的数据依然会有些安全,这取决于你的算法?他们所有的都是哈希和盐。
If someone has access to your database/data, then they would still have to figure out your hashing algorithm and your data would still be somewhat secure, depending on your algorithm? All they would have is the hash and the salt.
哈希密码的基本思想是攻击者了解哈希算法并可以访问哈希和盐。通过选择加密的强散列函数和对于每个密码不同的合适的盐值,猜测密码所需的计算工作量非常高,以至于成本超出了攻击者可以从猜测密码获得的可能的增益。所以要回答你的问题,隐藏哈希函数并不会提高安全性。
The basic idea of hashing passwords is that the attacker has knowledge of the hashing algorithm and has access to both the hash and the salt. By selecting a cryptographic strong hash function and a suitable salt value that is different for each password the computational effort required to guess the password is so high that the cost exceeds the possible gain the attacker can get from guessing the password. So to answer your question, hiding the hash function does not improve the security.
如果有人可以访问你的数据库/数据和你的源码代码,那么似乎无论你做什么,你的哈希算法都可以被逆转,你唯一需要的就是你的算法是多么复杂和耗时?
If someone has access to your database/data and your source code, then it seems like no matter what your do, your hashing algorithm can be reversed engineered, the only thing you would have on your side would be how complex and time consuming your algorithm is?
你应该总是使用一个众所周知的(而且很强的)散列算法,而逆向工程这个算法是没有意义的,因为你的代码中没有什么隐藏的。如果您不是意味着逆向工程,但实际上反向则是,密码受到颠倒哈希函数(或猜测与哈希匹配的密码)的复杂性的保护值)。好的哈希函数使这很难。
You should always use a well-known (and suitably strong) hashing algorithm, and reverse engineering this algorithm is not meaningful as there is nothing hidden in your code. If you didn't mean reverse engineer but actually reverse then, yes, the passwords are protected by the complexity of reversing the hash function (or guessing a password that matches a hash value). Good hash functions makes this very hard.
似乎最弱的链接是:你自己的系统是多么安全,谁有权访问它?
It seems like the weakest link is: how secure your own systems are and who has access to it?
一般来说,这是真的,但是当通过将密码存储为散列来保护密码时,您应该仍然认为攻击者有通过选择适当的哈希函数和使用盐,完全访问散列并设计您的系统。
In general this is true, but when it comes to securing passwords by storing them as hashes you should still assume that the attacker has full access to the hashes and design your system accordingly by choosing an appropriate hash function and using salts.
这些哈希尝试有什么类型的攻击防范?我读过彩虹表和字典攻击(暴力),但是这些攻击如何管理?
What types of attacks are these hashes trying to protect against? I've read about rainbow table and dictionary attacks (brute force), but how are these attacks administered?
密码的基本攻击当攻击者访问您的数据库时,哈希保护可以防止。明文密码无法从数据库中读取,密码受到保护。
The basic attack that password hashing protects against is when the attacker gets access to your database. The clear text password cannot be read from the database and the password is protected.
更复杂的攻击者可以生成可能的密码列表,并使用相同的算法计算散列像你一样然后,他可以将计算的散列与存储的散列进行比较,如果他找到匹配,则他具有有效的密码。这是一个强力攻击,通常假定攻击者已经离线访问您的数据库。通过要求用户使用长而复杂的密码,强制强制密码所需的努力将显着增加。
A more sophisticated attacker can generate a list of possible passwords and compute the hash using the same algorithm as you. He can then compare the computed hash to the stored hash and if he finds a match he has a valid password. This is a brute force attack and it is generally assumed that the attacker has "offline" access to your database. By requiring the users to use long and complex passwords the effort required to "brute force" a password is significantly increased.
当攻击者想要攻击没有一个密码时,但是数据库中的所有密码都可以通过使用所谓的哈希链进行预计算并进一步改进密码和哈希值对的大表。彩虹表是这个想法的应用,可以同时强制许多密码,而不会显着增加工作量。然而,如果使用唯一的盐来计算每个密码的散列,则预计算表将变得无用,因为它对于每种盐是不同的,不能重复使用。
When the attacker wants to attack not one password, but all the passwords in the database a large table of passwords and hash value pairs can be precomputed and further improved by using what is called hash chains. Rainbow tables is an application of this idea and can be used to brute force many passwords simultaneously without increasing the effort significantly. However, if a unique salt is used to compute the hash for each password a precomputed table becomes useless as it is different for each salt and cannot be reused.
总结up:隐藏的安全性不是保护敏感信息的好策略,而现代加密技术可以让您保护信息而无需诉诸晦涩。
To sum it up: Security by obscurity is not a good strategy for protecting sensitive information and modern cryptography allows you to secure information without having to resort to obscurity.
这篇关于加密,散列和密码问题,总noob?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
