个人中心
gpt4 book ai didi

asp.net - 我应该将(带盐的密码)存储在数据库中,还是将哈希密码和盐作为数据库中的两个不同字段存储?

转载 作者:搜寻专家 更新时间:2023-10-30 21:52:07 24 4
gpt4 key购买 nike

请问这种哈希技术对 asp.net 是否足够好?

我计划将散列密码保存在一个名为“密码”的字段中,然后对登录页面上的用户输入密码进行散列,看是否匹配

代码如下:

public const int SALT_BYTES = 24;
    public const int HASH_BYTES = 24;
    public const int PBKDF2_ITERATIONS = 1000;

    public const int ITERATION_INDEX = 0;
    public const int SALT_INDEX = 1;
    public const int PBKDF2_INDEX = 2;

    /// <summary>
    /// Creates a salted PBKDF2 hash of the password.
    /// </summary>
    /// <param name="password">The password to hash.</param>
    /// <returns>The hash of the password.</returns>
    public static string CreateHash(string password)
    {
        // Generate a random salt
        RNGCryptoServiceProvider csprng = new RNGCryptoServiceProvider();
        byte[] salt = new byte[SALT_BYTES];
        csprng.GetBytes(salt);

        // Hash the password and encode the parameters
        byte[] hash = PBKDF2(password, salt, PBKDF2_ITERATIONS, HASH_BYTES);
        return PBKDF2_ITERATIONS + ":" +
           Convert.ToBase64String(salt) + ":" +
           Convert.ToBase64String(hash);
    }

    /// <summary>
    /// Validates a password given a hash of the correct one.
    /// </summary>
    /// <param name="password">The password to check.</param>
    /// <param name="goodHash">A hash of the correct password.</param>
    /// <returns>True if the password is correct. False otherwise.</returns>
    public static bool ValidatePassword(string password, string goodHash)
    {
        // Extract the parameters from the hash
        char[] delimiter = { ':' };
        string[] split = goodHash.Split(delimiter);
        int iterations = Int32.Parse(split[ITERATION_INDEX]);
        byte[] salt = Convert.FromBase64String(split[SALT_INDEX]);
        byte[] hash = Convert.FromBase64String(split[PBKDF2_INDEX]);

        byte[] testHash = PBKDF2(password, salt, iterations, hash.Length);
        return SlowEquals(hash, testHash);
    }

    /// <summary>
    /// Compares two byte arrays in length-constant time. This comparison
    /// method is used so that password hashes cannot be extracted from 
    /// on-line systems using a timing attack and then attacked off-line.
    /// </summary>
    /// <param name="a">The first byte array.</param>
    /// <param name="b">The second byte array.</param>
    /// <returns>True if both byte arrays are equal. False otherwise.</returns>
    private static bool SlowEquals(byte[] a, byte[] b)
    {
        uint diff = (uint)a.Length ^ (uint)b.Length;
        for (int i = 0; i < a.Length && i < b.Length; i++)
            diff |= (uint)(a[i] ^ b[i]);
        return diff == 0;
    }

    /// <summary>
    /// Computes the PBKDF2-SHA1 hash of a password.
    /// </summary>
    /// <param name="password">The password to hash.</param>
    /// <param name="salt">The salt.</param>
    /// <param name="iterations">The PBKDF2 iteration count.</param>
    /// <param name="outputBytes">The length of the hash to generate, in bytes.</param>
    /// <returns>A hash of the password.</returns>
    private static byte[] PBKDF2(string password, byte[] salt, int iterations, int outputBytes)
    {
        Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(password, salt);

        pbkdf2.IterationCount = iterations;
        return pbkdf2.GetBytes(outputBytes);
    }

如果我有办法改进它,如果您能指出某些我可以替换的代码,那就太棒了。

代码来自:http://crackstation.net/hashing-security.htm#aspsourcecode

先生/女士谢谢您++ :D

最佳答案

您上面提到的代码看起来不错。不过我没有找到任何盐。

我想提一下下面的代码来生成加盐的 HASH。

看看它是否可以帮助您解决同样的问题。

 ''' <summary>
''' Gets the hash of the string.
''' </summary>
''' <param name="pPassword">Provided password to encrypt</param>
Private Function GetHash(ByVal pPassword As String) As String
    Dim sHashedString As String
    dim sSalt1 as string = "YourSalt"
    dim sSalt2 as string = "YourSalt"
    Dim sSaltedString = sSalt1 & pPassword & sSalt2

    Try
        sHashedString = ConvertByteArrayToString(New System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(sSaltedString)))
    Catch oException As Exception
        sHashedString = String.Empty
    End Try

    Return sHashedString
End Function

''' <summary>
''' Converts the byte array to string.
''' </summary>
''' <param name="arrInput">The arr input.</param><returns></returns>
Private Function ConvertByteArrayToString(ByVal arrInput() As Byte) As String
    Dim i As Integer
    Dim sOutput As New System.Text.StringBuilder(arrInput.Length)

    For i = 0 To arrInput.Length - 1
        sOutput.Append(arrInput(i).ToString("X2"))
    Next

    Return sOutput.ToString()
End Function

您只需提供密码即可生成加密字符串。与我尝试过的其他功能相比,此功能更轻便。您可以在验证密码时简单地将密码作为字符串进行比较。无需添加任何其他功能或方法进行验证。

关于asp.net - 我应该将(带盐的密码)存储在数据库中,还是将哈希密码和盐作为数据库中的两个不同字段存储?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13172185/

24 4 0
文章推荐: java - Android 词典应用程序和数据库查询
文章推荐: angular - 在带有 *ngFor 的 Angular 2 模板中使用可观察对象
文章推荐: ios - Alamofire 参数 - NSDictionary 不可转换为 [String : AnyObject]
文章推荐: typescript - Sublime Typescript 撤消构建文件
搜寻专家
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com