如何存储和验证从PIN /密码随机选择的数字 [英] How to store and verify digits chosen at random from a PIN/Password
问题描述
如果我有一个用户6位数的PIN(或n个字符串),并且我希望验证是否从PIN(或x个字符)中随机选择3位数作为登录过程的一部分,我如何存储PIN码在数据库中或某些加密/散列版本的PIN码可以验证用户身份?
If I have a users 6 digit PIN (or n char string) and I wish to verify say 3 digits chosen at random from the PIN (or x chars) as part of a 'login' procedure, how would I store the PIN in a database or some encrypted/hashed version of the PIN in such a way that I could verify the users identity?
想法:
- 将PIN存储在可逆的
(对称或不对称)加密方式,解密数位检查。 - 存储针对某些
ID的PIN码的散列排列范围,链接到所选的随机
数字,例如:
- ID :123 =数字散列1,2,3
- ID:416 =数字散列4,1,6
问题:
- 密钥安全性:假设密钥是
'protected',而应用程序不是
财务,也不是非常关键,但
是高容量。 - 创建
宽数字麻木呃哈希
排列都是禁止
高存储(16字节x几
排列)和耗时可能是过度的
是否有任何其他选项,问题或改进?
Are there any other options, issues or refinements?
是的:我知道以可逆的方式存储密码/ PIN是有争议的,理想情况不应该完成。
Yes: I know storing passwords/PINs in a reversible manner is 'contentious' and ideally shouldn't be done.
只是为了澄清:
1.随机数字是我正在考虑一个避免键盘记录器的方案。
2.不可能尝试超过有限次数的重试。
3.其他元素有助于安全和验证访问。
Just for clarification: 1. Random digits is a scheme I am considering to avoid key-loggers. 2. It is not possible to attempt more than a limited number of retries. 3. Other elements help secure and authenticate access.
推荐答案
- 保护'
- 该应用不是财务的,而且非常高的
很关键, - 该应用是大容量。
- 创建大量哈希
排列是禁止
高存储(16字节x几
排列)和耗时的
可能是过度的 - 随机数字是一个计划,我是
,考虑避免键盘记录器。 - 不可能尝试更多$ b $
- 其他元素有助于安全,
验证访问。 - The key is 'protected'
- The app is not financial nor highly critical,
- The app is 'high-volume'.
- Creating a wide-number number of hash permutations is both prohibitively high-storage (16bytes x several permutations) and time-consuming probably overkill
- Random digits is a scheme I am considering to avoid key-loggers.
- It is not possible to attempt more than a limited number of retries.
- Other elements help secure and authenticate access.
你似乎在争论将PIN存储在清晰的位置。我说去吧您基本上描述了一个挑战 - 响应身份验证方法,并且服务器端的明文存储对于该用例很常见。
You seem to be arguing for storing the PIN in the clear. I say go for it. You're basically describing a challenge-response authentication method, and cleartext storage on the server side is common for that use-case.
与此类似的是,时间垫或密钥矩阵。不同之处在于,用户必须保持/让垫具有访问权限。好处是,只要您将密钥分发的密钥安全得到充分的安全,您就可以非常安全地使用键盘记录器。
Something similar to this is a one-time-pad, or a secret key matrix. The difference is that the user has to keep / have the pad with them to access. The benefit is that as long as you get the key distribution sufficiently secure, you're very safe from keyloggers.
如果要使其成为矩阵的曝光/ pad不会单独造成折衷,请让用户使用短按钮(3-4号)PIN码,并保持敏感的锁定机制。
If you want to make it so that exposure of the matrix / pad doesn't cause compromise alone, have the user use a short (3-4 number) PIN with the pad, and keep your sensitive locking mechanism.
一个矩阵:
1 2 3 4 5 6 7 8
A ; k j l k a s g
B f q 3 n 0 8 u 0
C 1 2 8 e g u 8 -
挑战可能是:输入您的PIN码,然后输入矩阵中的B3号字符。
A challenge might be: "Enter your PIN, and then the character from square B3 from your matrix."
响应可能是:
98763
The response might be: 98763
这篇关于如何存储和验证从PIN /密码随机选择的数字的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!