作者热门文章
- c - 在位数组中找到第一个零
- linux - Unix 显示有关匹配两种模式之一的文件的信息
- 正则表达式替换多个文件
- linux - 隐藏来自 xtrace 的命令
如何验证以哈希值形式存储在数据库中的密码
当我使用数据库值验证密码哈希时,它永远不会相同,因为它会生成随机盐。
如何添加盐以验证和测试。
下面是我用于散列和验证散列密码的代码。
我的代码:
/// <summary>
/// Generate the value from bytes.
/// </summary>
/// <param name="password"></param>
/// <param name="iterationCount"></param>
/// <returns></returns>
private static string GenerateHashValue(string password)
{
return Convert.ToBase64String(GenerateHashBytes(password));
}
/// <summary>
/// Hashing the password using PBKDF2
/// </summary>
/// <param name="password"></param>
/// <param name="iterationCount"></param>
/// <returns></returns>
private static byte[] GenerateHashBytes(string password)
{
byte[] hashValue;
//create salt
byte[] salt = GenerateRandomSalt();
var valueToHash = string.IsNullOrEmpty(password) ? string.Empty : password;
using (var pbkdf2 = new Rfc2898DeriveBytes(valueToHash,salt, iterationCount))
{
hashValue = pbkdf2.GetBytes(DerivedKeyLength);
}
return hashValue;
}
public static bool VerifyPassword(string password, string correctHash)
{
byte[] hash;
byte[] OriginalHash = Encoding.ASCII.GetBytes(correctHash);
hash = GenerateHashBytes(password);
return SlowEquals(hash, OriginalHash);
}
private static bool SlowEquals(byte[] a, byte[] b)
{
var diff = (uint)a.Length ^ (uint)b.Length;
for (int i = 0; i < a.Length && i < b.Length; i++)
{
diff |= (uint)(a[i] ^ b[i]);
}
return diff == 0;
}
/// <summary>
/// Used to generate the random string to append hash.
/// </summary>
/// <returns></returns>
private static byte[] GenerateRandomSalt()
{
/*We are using the RNGCryptoServiceProvider class to create a Cryptography Secure Pseudo-Random Number Generator that will generate the level of randomness and uniqueness we require for a salt.*/
var csprng = new RNGCryptoServiceProvider();
var salt = new byte[SaltByteLength];
csprng.GetBytes(salt);
return salt;
}
最佳答案
您必须创建一个盐并将其与密码哈希一起存储在您的数据库中。
在对密码进行哈希处理后,您从数据库中为用户 X(或其他任何人)请求加盐,检查它是否存在,然后将加盐应用于您的哈希。
它看起来像这样(带有您提供的一些代码的伪代码):
var salt = GetSaltFromDB();
if (salt == null) //Not yet in DB
salt = GenerateSalt(); //This also saves the salt to DB
using (var pbkdf2 = new Rfc2898DeriveBytes(valueToHash, salt, iterationCount))
{
hashValue = pbkdf2.GetBytes(DerivedKeyLength);
}
关于c# - Rfc2898DeriveBytes 如何验证作为哈希值存储在数据库中的密码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46147841/
我是一名优秀的程序员,十分优秀!