Java - 生成随机盐不是随机的 [英] Java - Generating a random salt isn't random
问题描述
我试图在Java中生成一个salt来与散列算法一起使用,以实现安全的密码存储。我使用下面的代码来创建随机salt:
private static String getSalt()throws NoSuchAlgorithmException {
SecureRandom sr = SecureRandom.getInstance(SHA1PRNG);
byte [] salt = new byte [16];
sr.nextBytes(salt);
System.out.println(salt.toString());
返回salt.toString();
}
这应该生成一个完全安全的随机生成的盐,用于我的哈希算法。然而,当我运行代码时,它每次都会持续输出相同的盐......表明盐的生成不是随机的。
出于明显的安全目的,每个用户都需要一种独特的盐,但是如果我每次创建一个新帐户时都使用这个代码,那么每个用户都会拥有相同的盐,从而无法摆脱首要目的。
我的问题是这样的:为什么这一直给我同样的盐,我该怎么做才能确保每次运行代码时产生的盐都是完全随机的?
编辑:
以为我会包含整个哈希程序的源代码,现在已经修复并正常运行。这是一个简单的原型,用于模拟创建帐户时生成散列,然后在登录系统时检查密码。
package hashingwstest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Random;
import java.util.Scanner;
public class HashingWSTest {
public static void main(String [] args)throws NoSuchAlgorithmException {
Scanner sc = new Scanner(System.in );
System.out.print(Enter Password:);
String passwordToHash = sc.nextLine();
byte [] bytes = getBytes();
String salt = new String(bytes);
字符串securePassword = hash256(passwordToHash,salt);
System.out.println(哈希成功生成);
System.out.print(再次输入密码:);
String checkPassword = sc.nextLine();
String checkHash = hash256(checkPassword,salt);
if(checkHash.equals(securePassword)){
System.out.println(MATCH);
}
else {
System.out.println(NO MATCH);
private static String hash256(String passwordToHash,String salt){
String generatedPassword = null;
尝试{
MessageDigest md = MessageDigest.getInstance(SHA-256);
md.update(salt.getBytes());
byte [] bytes = md.digest(passwordToHash.getBytes());
StringBuilder sb = new StringBuilder(); (int i = 0; i
。 .substring(1));
}
generatedPassword = sb.toString();
}
catch(NoSuchAlgorithmException e){
e.printStackTrace();
}
return generatedPassword;
private static byte [] getBytes()throws NoSuchAlgorithmException {
SecureRandom sr = SecureRandom.getInstance(SHA1PRNG);
byte [] bytes = new byte [16];
sr.nextBytes(bytes);
返回字节;
$ div $解析方案你正在打印出字节数组本身,而不是它的内容。您需要遍历数组来查看它包含的内容。
编辑:
还改变了getSalt返回一个字节数组。返回由字节数组构造的String(使用新的String(salt))是不安全的,因为字节序列可能不会形成有效的String。
import java.security。*;
$ b公共类盐{
public static void main(String [] args)throws NoSuchAlgorithmException {
getSalt();
}
private static byte [] getSalt()抛出NoSuchAlgorithmException {
SecureRandom sr = SecureRandom.getInstance(SHA1PRNG);
byte [] salt = new byte [16];
sr.nextBytes(salt);
for(int i = 0; i <16; i ++){
System.out.print(salt [i]& 0x00FF);
System.out.print();
}
返回盐;
}
}
I'm trying to generate a salt in Java to use with a hashing algorithm for secure password storage. I'm using the following code to create the random salt:
private static String getSalt() throws NoSuchAlgorithmException {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
byte[] salt = new byte[16];
sr.nextBytes(salt);
System.out.println(salt.toString());
return salt.toString();
}
Which should generate a completely secure, randomly generated salt to use in my hashing algorithm. When I run the code however, it keeps outputting the same salt every time... Indicating that the salt being generated isn't random at all.
For obvious security purposes, each user needs a unique salt however if I use this code each time a new account is created then every user will have the same salt, defeating the purpose of having it in the first place.
My question is this: Why does this keep giving me the same salt and what can I do to ensure the salt generated is completely random each time the code is run?
EDIT:
Thought I'd include the source code of the entire hashing program that has now been fixed and works properly. This is a simple prototype to simulate generating the hash upon creation of the account then checking the password when logging into the system.
package hashingwstest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Random;
import java.util.Scanner;
public class HashingWSTest {
public static void main(String[] args) throws NoSuchAlgorithmException {
Scanner sc = new Scanner(System.in);
System.out.print("Enter Password: ");
String passwordToHash = sc.nextLine();
byte[] bytes = getBytes();
String salt = new String(bytes);
String securePassword = hash256(passwordToHash, salt);
System.out.println("Hash successfully generated");
System.out.print("Enter your password again: ");
String checkPassword = sc.nextLine();
String checkHash = hash256(checkPassword,salt);
if (checkHash.equals(securePassword)) {
System.out.println("MATCH");
}
else {
System.out.println("NO MATCH");
}
}
private static String hash256(String passwordToHash, String salt) {
String generatedPassword = null;
try {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(salt.getBytes());
byte[] bytes = md.digest(passwordToHash.getBytes());
StringBuilder sb = new StringBuilder();
for (int i=0; i<bytes.length; i++) {
sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
generatedPassword = sb.toString();
}
catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
return generatedPassword;
}
private static byte[] getBytes() throws NoSuchAlgorithmException {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
byte[] bytes = new byte[16];
sr.nextBytes(bytes);
return bytes;
}
}
You are printing out the byte array itself, not its contents. You need to loop through the array to see what it contains.
Edit:
Also changed getSalt to return a byte array. It is not safe to return a String constructed from the byte array (with new String(salt)) as the byte sequence may not form a valid String.
import java.security.*;
public class Salt {
public static void main(String[] args) throws NoSuchAlgorithmException {
getSalt();
}
private static byte[] getSalt() throws NoSuchAlgorithmException {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
byte[] salt = new byte[16];
sr.nextBytes(salt);
for(int i = 0; i<16; i++) {
System.out.print(salt[i] & 0x00FF);
System.out.print(" ");
}
return salt;
}
}
这篇关于Java - 生成随机盐不是随机的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
