PHP - MD5，SHA，哈希安全 [英] PHP - MD5, SHA, Hashing security

问题描述

我是使用PHP构建的新网站的开发人员，我想知道用于哈希的最好的
是什么东西。我已经看了md5和sha1，但是还有什么更安全的。

我很抱歉，如果这是一个没有问题的问题，但我是PHP安全新手，我试图让我的
网站尽可能安全。还有什么是盐？

谢谢，

Waseem

I'm the developer of a new website built in PHP and I'm wondering what exactly is the best thing to use for hashing. I've looked at md5 and sha1 but is there anything more secure.
I'm sorry if this is a nooby question but I'm new to PHP Security and I'm trying to make my site as secure as possible. Also what is a salt?
Thanks,
Waseem

推荐答案

md5和sha1已经被证明对碰撞攻击有帮助，并且可以很容易地用彩虹
表格（当他们看到你的散列值在普通密码数据库中是否相同时）。

目前有两件事足够安全的密码，你可以使用。

第一个是sha512。 sha512是SHA2的子版本。 SHA2还没有被证明对碰撞攻击产生影响，而sha512会产生512位散列。以下是
如何使用sha512的示例：

First off md5 and sha1 have been proven to be vunrable to collision attacks and can be rainbow tabled easily (When they see if you hash is the same in their database of common passwords).
There are currently two things that are secure enough for passwords, that you can use.
The first being sha512. sha512 is a sub-version of SHA2. SHA2 has not yet been proven to be vunrable to collision attacks and sha512 will generate a 512 bit hash. Here is an example of how to use sha512:

<?php
hash('sha512',$password);

另一个选项叫做bcrypt。 bcrypt以其安全的哈希而闻名。它的
可能是那里最安全的一个，也是最可定制的一个。

在你想开始使用bcrypt之前，你需要检查你的服务器是否启用了，输入
这个代码：

The other option is called bcrypt. bcrypt is famous for its secure hashes. Its probably the most secure one out there and most customizable one too.
Before you want to start using bcrypt you need to check if your sever has it enabled, Enter this code:

<?php
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
    echo "CRYPT_BLOWFISH is enabled!";
}else {
echo "CRYPT_BLOWFISH is not available";
}

如果它返回它被启用，那么下一步很容易，所有你需要做的是加密一个
的密码是（注意为了更多的可定制性，你需要看到这个）：

If it returns that it is enabled then the next step is easy, All you need to do to bcrypt a password is (Note for more customizability you need to see this How do you use bcrypt for hashing passwords in PHP?):

crypt($password, $salt);

现在回答第二个问题。 salt通常是一个随机字符串，当您将它们散列时，您会在
的末尾添加所有密码。使用salt意味着如果某人得到您的数据库
，他们无法检查哈希值以查找常见密码。检查数据库是使用彩虹表调用的。您应该始终在哈希时使用salt！

Now to answer your second question. A salt is usally a random string that you add at the end of all you passwords when you hash them. Using a salt means if some one gets your database they can not check the hashes for common passwords. Checking the database is called using a rainbow table. You should always use a salt when hashing!!

以下是我对SHA1和MD5碰撞攻击漏洞的证明：

http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html ， http://eprint.iacr.org/2010/413.pdf， http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf ， http：//conf.isi.qut .edu.au / auscert / proceedings / 2006 / gauravaram06collision.pdf 和了解sha- 1碰撞无力

Here are my proofs for the SHA1 and MD5 collision attack vulnerabilities:
http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html, http://eprint.iacr.org/2010/413.pdf, http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf, http://conf.isi.qut.edu.au/auscert/proceedings/2006/gauravaram06collision.pdf and Understanding sha-1 collision weakness

这篇关于PHP - MD5，SHA，哈希安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！