PHP:迭代哈希是否更安全? [英] PHP: Does iterating a hash make it more secure?
问题描述
我想知道散列hash的过程是否有助于阻止对它的攻击(我认为是蛮力攻击)。因此,我的代码: 从我的工作中我的代码是安全的,因为它停止了彩虹表通过使用salt来进行攻击,并通过迭代散列来停止暴力攻击。 这次迭代实际上是否使得暴力攻击更难? 这样做是否可以模拟算法的行为作为bcrypt? 是的,它的确存在,原因很简单。哈希是为了速度而建立的,而不是安全的(因为它经常用来计算大文件的校验和)。因此,具有强大CPU(或使用GPU的黑客)的计算机可能会蛮横强制你的代码,比如说每秒10亿次哈希。 如果你确定你的散列算法较慢(通过遍历它一千次),同一台计算机只能每秒执行一百万次,而不是一百次。因此,如果攻击者用暴力破解密码需要60个小时,现在就需要6万个小时,这将是近7年的时间:) 然而,你的代码并没有正确实现它,你一次又一次地执行相同的动作,你应该散列你在前一个散列中得到的散列,再加上一些安全字符(通常是迭代索引)。 (i <1000){hash(somehash)} //错误的
$ p $ 函数hash_password($ password,$ salt,$ site_key){
$ hash = hash( 'sha512',$ password。$ salt。$ site_key);
for($ i = 0; $ i <1000; $ i ++){
$ hash = hash($ hash);
}
返回$ hash;
$ / code>
如果有的话,它会对性能产生多大影响? (需要多长时间散列1000次,我听到有人说你应该迭代散列,直到需要200毫秒)
while(i <1000){/ / $> ){hash = hash(hash。i)} //正确。
PHP已经为您内置了这种功能!使用 crypt()与 CRYPT_BLOWFISH (aka bcrypt ),你可以输入你的密码和salt到函数中,并在迭代和所有事情之后得到一个完成的哈希。有关详情,请 查看此问题。
I wanted to know if the process of hashing a hash would help stop attacks to it (brute-force I think) when used with salt as well. So my code:
function hash_password($password, $salt, $site_key) {
$hash = hash('sha512', $password . $salt . $site_key);
for ($i=0; $i<1000; $i++) {
$hash = hash($hash);
}
return $hash;
}
From what I can work out my code would be secure because it stops rainbow table attacks by using salt, and stops brute-force attacks by iterating the hash.
Would this iteration actually make brute-force attacks much harder? And if so how much would it affect the performance? (how long would it take to hash 1000 times, I heard someone said you should iterate the hash until it takes 200ms)
Does doing this emulate the behaviour of an algorithm such as bcrypt?
Yes, it does, for a simple reason. Hashes were built for speed, not security (as it is often used to calculate checksums for large files). Therefore, a computer with a strong CPU (or a hacker using a GPU) could brute force your code with let's say 1 billion hashes per second.
If you make sure your hashing algorithm is slower (by iterating over it a thousand times), the same computer would only be able to do this algorithm 1 million times per second, and not a hundred. So if it took the attacker 60 hours to crack a password with brute force, it would now take 60,000 hours which is nearly 7 years :)
However, your code does not implement it correctly, you are preforming the same action over and over, where you should hash the hash you got in the previous hash, plus add some security characters (usually the iteration index).
while (i < 1000) { hash(somehash) } //wrong
while (i < 1000) { hash = hash(hash . i) } //correct.
PHP already has this functionality built in for you! Using crypt() in conjunction with CRYPT_BLOWFISH (a.k.a bcrypt), You can do input your password and salt into the function, and get a finished hash, after iterations and everything. For more information, See this question.
这篇关于PHP:迭代哈希是否更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
