问题描述
我想过渡到Blowfish进行的认证系统。忍耐一下,我不是一个密码,我的河豚的理解是还没有应用。
I'm trying to transition to Blowfish for an authentication system. Bear with me, I'm not a cryptographer and my understanding of Blowfish is not quite there yet.
目前的设置使用SHA1和盐。的盐为每个用户产生,并存储在数据库中。它归结为:
The current setup uses sha1 and salts. The salts are generated for each user and stored in the database. It boils down to this:
$salt = $this->getSalt($username);
$hash = sha1($password . $salt);
if ($hash == $hashInDB)
{
// user is authenticated, set session id etc ...
}
的 getSalt()
方法获取存储在数据库中指定用户的盐。
The getSalt()
method gets the salt stored in the database for the specified user.
现在,如果我理解正确的一切,隐窝我应该做的:
Now if I understand everything correctly, with crypt I should be doing:
$salt = '$2a$07$' . $this->getSalt($username) . '$';
$hash = crypt($password, $salt);
if ($hash == crypt($password, $saltInDB))
{
// The user is authenticated, set session id etc..
}
要澄清一下,第二个例子中, $ saltInDB
变量,就像是'价值'$ 2A $ $ 07 $ arandomsaltcreatedatregistration。
To clarify, for the second example the $saltInDB
variable, is a value like `'$2a$07$arandomsaltcreatedatregistration$'.
- 我这样做对吗?
推荐答案
您的例子几乎是正确的。
Your example is almost correct.
当你创建一个的crypt()
函数的哈希,你将看到使用的参数(算法,成本和盐)是生成的散列的部分(哈希的开始):
When you create a hash with the crypt()
function, you will see that the used parameters (algorithm, cost and salt) are part of the generated hash (the begin of the hash):
$2a$07$LCzy1mE0b9lS8Uyx9HEeUgHm8zH1iDDZ5...
这意味着,你可以替换 $ saltInDB
与 $ hashInDB
,地穴()函数将提取所需要的从 $ hashInDB
自动参数。这也回答您有关存储盐问题,刚才的哈希值存储在数据库中,盐是包含在那里。是的,你应该为每一个口令一个新的盐。
That means, you can replace $saltInDB
with $hashInDB
, the crypt() function will extract the needed parameters automatically from $hashInDB
. This also answers your question about storing the salt, just store the hash value in the database, the salt is included there. And yes you should generate a new salt for each password.
不需要的盐后,$
有关如何生成一个bcrypt哈希你可以找到更多信息如果你正在寻找一个完善的图书馆,我可以推荐。
More information about how to generate a bcrypt-hash you can find here, if you are looking for a well established library, i can recommend phpass.
这篇关于Bycript /河豚并与现有的身份验证系统盐的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!