Asp.net身份识别是否安全? [英] Is Asp.net identity hashing Secured?
问题描述
我已经在以下网址中引用了Rijndael和Asp.net哈希实现的以下站点。
I have referred the following sites for the Rijndael and Asp.net hashing implementations in the following url.
- Rijndael - 如何使用密码生成Rijndael KEY和IV?
- Asp.net散列 - ASP.NET身份默认密码哈希,它是如何工作和安全的?
- Rijndael - How to generate Rijndael KEY and IV using a passphrase?
- Asp.net hashing - ASP.NET Identity default Password Hasher, how does it work and is it secure?
在两个实现中,
以下用于获取密码的随机字节。
RijnDael
Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
Asp.net标识散列
Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(providedPassword, salt, HasingIterationsCount)
在上述代码之后,RijnDael对返回的字节应用加密。
但是asp.net身份将结果与salt字节数组一起复制,并返回散列的键。
After the above code, RijnDael applies the encryption for the returned bytes. But asp.net identity copy the result as it is with the salt byte array and return the hashed keys.
这里我有一个混乱。 RijnDael和Asp.net身份散列使用相同的 Rfc2898DeriveBytes 。
Here I had a confusion. RijnDael and Asp.net identity hashing uses the same Rfc2898DeriveBytes.
当RijnDael可以解密加密密钥(这是通过Rfc2898DeriveBytes的帮助完成的),为什么我们可以解密Asp.net标识散列的键?
When RijnDael can decrypt the encrypted keys (which is done with the help of Rfc2898DeriveBytes), why can we do to decrypt the Asp.net Identity hashed keys?
有没有可能这样做?
Asp.net身份是否安全?
Is there any possibility to do that? Is Asp.net identity secured?
推荐答案
是的,ASP.NET的密码散列方法是安全的。
在您提供的示例中,用户正在使用称为高级加密标准的加密技术>(AES,也称为Rijndael)。这就是为什么秘密可以解密的。
In the example you provided, the user is using an encryption technique known as Advanced Encryption Standard (AES, also known as Rijndael). This is why the secret can be decrypted.
用户只能使用 Rfc2898DeriveBytes 类来获取<一个href =https://en.wikipedia.org/wiki/Key_%28cryptography%29 =nofollow>键和一个初始化向量。
The user only uses the Rfc2898DeriveBytes class in order to get a key and an initialisation vector.
该类不用于散列秘密消息。加密是什么隐藏消息。
The class is not used to hash the secret message. The encryption is what hides the message.
ASP.NET使用 Rfc2898DeriveBytes 类来填写密码。此过程无法反转。
ASP.NET uses the Rfc2898DeriveBytes class to hash a password. This procedure cannot be reversed.
这篇关于Asp.net身份识别是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
