问题描述
我正在使用用户名+密码创建软件.强化后,用户可以访问某些半公共服务,还可以加密某些仅用户可以访问的文件.
I am creating a software with user + password. After autentification, the user can access some semi public services, but also encrypt some files that only the user can access.
如果可能的话,用户必须按原样存储,并且不做任何修改.经过身份验证后,只要软件正在运行,用户名和密码就会保留在内存中(我也不知道是否可以).
The user must be stored as is, without modification, if possible. After auth, the user and the password are kept in memory as long as the software is running (i don't know if that's okay either).
问题是我应该如何将这个用户名和密码组合存储在一个可能不安全的数据库中?
The question is how should i store this user + password combination in a potentially unsecure database?
我不太了解应该公开什么.
I don't really understand what should i expose.
假设我创建了这样的增强密钥:
Let's say I create an enhanced key like this:
salt = random 32 characters string (is it okay?)
key = hash(usr password + salt)
for 1 to 65000 do
key = hash(key + usr password + salt)
我应该在数据库中存储[纯文本用户],[增强密钥]和[salt]吗?
Should I store the [plaintext user], [the enhanced key] and [the salt] in the database ?
此外,每次使用新密码来加密(使用AES或Blowfish)某些文件时,我应该使用什么?我是否应该使用(存储在程序内存中的密码+ salt)生成一个新的salt并创建一个新的增强密钥?在这种情况下,如果我将加密文件存储在数据库中,则可能应该只存储盐.该数据库与我存储用户名和密码组合的位置相同.
Also, what should I use to encrypt (with AES or Blowfish) some files using a new password everytime ?Should I generate a new salt and create a new enhanced key using (the password stored in memory of the program + the salt) ?And in this case, if i store the encrypted file in the database, i should probably only store the salt.The database is the same as where i store the user + password combination.
仅当某人可以生成密钥,但他不知道密码时,才可以解密该文件.是吗?
The file can only be decrypted if someone can generate the key, but he doesn't know the password. Right ?
我将Python与PyCrypto结合使用,但这并不是很重要,一般的例子就可以了.我读过一些类似的问题,但是它们不是很明确.
I use Python with PyCrypto, but it's not really important, a general example is just fine.I have read a few similar questions, but they are not very explicit.
非常感谢您!
推荐答案
密码很难正确使用,问一个问题很好.
Crypto is hard to get right, it's good that you're asking questions.
存储密码:应使用密钥扩展算法对密码进行哈希处理.通常,您想使用一个库而不是自己实现.密钥扩展算法旨在缩短处理器周期,因此最好使用不错的C代码对其进行评估.如果您使用的是glibc的Linux系统,则可以使用crypt.crypt模块(读取man crypt):
Storing passwords: Passwords should be hashed using a key stretching algorithm. Typically, you want to use a library rather than implement it yourself. Key stretching algorithms are designed to chew up processor cycles, so it's nice to evaluate them with nice C code. If you are on a Linux system with glibc, you can use the crypt.crypt module (read man crypt):
import crypt
encrypted = crypt.crypt(password, '$6$' + salt + '$')
这将返回一个ASCII字符串,您可以将其安全地存储在数据库中. ($6$是glibc扩展,它使用基于SHA-512的键扩展功能.如果没有此扩展,请不要使用crypt.crypt.) (该算法与您在问题中询问的算法非常相似.但是,最佳实践通常是让图书馆来做这些事情,而不是自己动手做.)
This returns an ASCII string which you can safely store in your database. (The $6$ is a glibc extension that uses a key stretching function based on SHA-512. If you don't have this extension, then don't use crypt.crypt). ( The algorithm is very similar to the one you asked about in your question. However, best practice is usually to let a library do that stuff rather than rolling your own.)
加密文件:请勿自己执行此操作.安装GnuPG(或scrypt,bcrypt,ncrypt等).当您设计自己的加密文件方式时,有些事情很容易出错.这些工具使用适当的密钥派生功能,身份验证哈希和密码模式,而无需任何其他配置.它们不是Python库,而是可执行文件,因此您必须编写一个使用subprocess模块的包装器.
Encrypting files: Do not do this yourself. Install GnuPG (or scrypt, bcrypt, ncrypt, what have you). There are a few things that can easily go wrong when you design your own way to encrypt files. These tools use the proper key derivation functions, authentication hashes, and cipher modes without any additional configuration. They're not Python libraries, but executables, so you'll have to write a wrapper that uses the subprocess module.
内存中的密码:不.在对照密码数据库检查了用户密码后,请使用密钥派生功能将密码转换为密钥.然后,您可以使用该密钥来解锁加密的文件,但是您将无法再使用它来找回原始密码.
Passwords in memory: Don't. Once you've checked the user's password against your password database, convert the password to a key using a key derivation function. You can then use the key to unlock encrypted files, but you can no longer use it to get the original password back.
这篇关于在数据库中存储用户和密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!