散发和腌制价值 [英] Hashing and salting values
问题描述
我正在开发一个内部验证用户的小型网络应用程序。一旦用户通过身份验证,我的网络应用程序会将一些信息(如用户ID和人员姓名)传递给第三方Web应用程序。第三方开发人员建议我们散列并加盐。
原谅我的无知,但究竟意味着什么?
我正在用Java编写应用程序。所以我打算做的是将用户ID,Person的名称和一些Math.random()值散列为Apache Commons Digest Utils SHA512的盐值,并将散列字符串与用户ID和人员姓名一起传递。
这是标准做法吗?
我应该通过salt的第三方以及正确的?
盐通常用于存储散列的密码安全。使用散列用于存储或通信的密码(以使其不能被其他人阅读)易于解码彩虹桌。现在,当您向密码添加一个随机字符串,但将该字符串与散列一起存储时,这变得更加困难。计算这个新的哈希如下所示:
hash(密码+ salt)
甚至是
hash(hash(password)+ salt )
要安全登录到第三方网站,可以发送UserID,salted hash(从上方)和你使用的盐(如果没有给出)。根据网站存储密码的方式,您可以为自己生成salt,或者您可以从中获取salt。
一种选择是先将用户ID然后让它用salt进行响应,然后将哈希(密码+盐))发送回网站。
I am developing a small web app that internally authenticates users. Once the user is authenticated my web app then passes some information such as userID and Person's name to a third party web application. The third party developer is suggesting that we hash and salt the values.
Forgive my ignorance, but what exactly does that mean?
I am writing the app in Java. So what I am planning on doing is hashing the userID, Person's name, and some Math.random() value as the salt with Apache Commons Digest Utils SHA512 and passing that hashed string along with the userID and person's name.
Is that the standard practice? I should be passing the third party the salt as well correct?
A salt is normally used for storing hashes of passwords safely. Hashing a password for storage or communication (such that it can't be read by others) is vulnerable for decoding by using rainbow tables. Now, when you add a random string to the password, but store the string with the hash, this becomes much harder. Calculating this new hash looks like:
hash(password + salt)
or even
hash(hash(password) + salt)
To safely log into a third party website, can send the UserID, salted hash (from above) and the salt that you used (if it is not given). Depending on how that website stored its passwords, you can generate the salt for yourself or you can ask for a salt from it.
One option is to send the UserID first to the website, then let it respond with the salt, and then send the hash(password+salt)) back to the website.
这篇关于散发和腌制价值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
