我想问一下这种散列技术对于asp.net是否足够好?
我计划将散列密码保存在一个名为'password'的字段中,然后在登录页面上对用户输入密码进行哈希处理,看看它是否匹配
以下是代码:
public const int SALT_BYTES = 24;
public const int HASH_BYTES = 24;
public const int PBKDF2_ITERATIONS = 1000;
public const int ITERATION_INDEX = 0;
public const int SALT_INDEX = 1;
public const int PBKDF2_INDEX = 2;
/// <summary>
/// Creates a salted PBKDF2 hash of the password.
/// </summary>
/// <param name="password">The password to hash.</param>
/// <returns>The hash of the password.</returns>
public static string CreateHash(string password)
{
// Generate a random salt
RNGCryptoServiceProvider csprng = new RNGCryptoServiceProvider();
byte[] salt = new byte[SALT_BYTES];
csprng.GetBytes(salt);
// Hash the password and encode the parameters
byte[] hash = PBKDF2(password, salt, PBKDF2_ITERATIONS, HASH_BYTES);
return PBKDF2_ITERATIONS + ":" +
Convert.ToBase64String(salt) + ":" +
Convert.ToBase64String(hash);
}
/// <summary>
/// Validates a password given a hash of the correct one.
/// </summary>
/// <param name="password">The password to check.</param>
/// <param name="goodHash">A hash of the correct password.</param>
/// <returns>True if the password is correct. False otherwise.</returns>
public static bool ValidatePassword(string password, string goodHash)
{
// Extract the parameters from the hash
char[] delimiter = { ':' };
string[] split = goodHash.Split(delimiter);
int iterations = Int32.Parse(split[ITERATION_INDEX]);
byte[] salt = Convert.FromBase64String(split[SALT_INDEX]);
byte[] hash = Convert.FromBase64String(split[PBKDF2_INDEX]);
byte[] testHash = PBKDF2(password, salt, iterations, hash.Length);
return SlowEquals(hash, testHash);
}
/// <summary>
/// Compares two byte arrays in length-constant time. This comparison
/// method is used so that password hashes cannot be extracted from
/// on-line systems using a timing attack and then attacked off-line.
/// </summary>
/// <param name="a">The first byte array.</param>
/// <param name="b">The second byte array.</param>
/// <returns>True if both byte arrays are equal. False otherwise.</returns>
private static bool SlowEquals(byte[] a, byte[] b)
{
uint diff = (uint)a.Length ^ (uint)b.Length;
for (int i = 0; i < a.Length && i < b.Length; i++)
diff |= (uint)(a[i] ^ b[i]);
return diff == 0;
}
/// <summary>
/// Computes the PBKDF2-SHA1 hash of a password.
/// </summary>
/// <param name="password">The password to hash.</param>
/// <param name="salt">The salt.</param>
/// <param name="iterations">The PBKDF2 iteration count.</param>
/// <param name="outputBytes">The length of the hash to generate, in bytes.</param>
/// <returns>A hash of the password.</returns>
private static byte[] PBKDF2(string password, byte[] salt, int iterations, int outputBytes)
{
Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(password, salt);
pbkdf2.IterationCount = iterations;
return pbkdf2.GetBytes(outputBytes);
}
如果有办法我可以改进这一点,那么如果你能指出我可以替换的某些代码那就太棒了。
代码来自:http://crackstation.net/hashing-security.htm#aspsourcecode
先生/女士谢谢++:D
答案 0 :(得分:5)
您上面提到的代码看起来不错。我没有找到任何盐。
我想提及以下代码来生成盐渍HASH。
看看它是否能为你提供帮助。
''' <summary>
''' Gets the hash of the string.
''' </summary>
''' <param name="pPassword">Provided password to encrypt</param>
Private Function GetHash(ByVal pPassword As String) As String
Dim sHashedString As String
dim sSalt1 as string = "YourSalt"
dim sSalt2 as string = "YourSalt"
Dim sSaltedString = sSalt1 & pPassword & sSalt2
Try
sHashedString = ConvertByteArrayToString(New System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(sSaltedString)))
Catch oException As Exception
sHashedString = String.Empty
End Try
Return sHashedString
End Function
''' <summary>
''' Converts the byte array to string.
''' </summary>
''' <param name="arrInput">The arr input.</param><returns></returns>
Private Function ConvertByteArrayToString(ByVal arrInput() As Byte) As String
Dim i As Integer
Dim sOutput As New System.Text.StringBuilder(arrInput.Length)
For i = 0 To arrInput.Length - 1
sOutput.Append(arrInput(i).ToString("X2"))
Next
Return sOutput.ToString()
End Function
您只需提供密码即可生成加密字符串。 与我尝试的其他功能相比,此功能更轻。 您可以在验证密码时将密码简单地比作字符串。无需添加任何其他功能或方法进行验证。