盐的安全性是多少盐的安全性

时间:2013-12-07 04:43:19

标签: vb.net security encryption salt

什么时候腌制密码太安全了?我有几个加密和解密功能作为用户密码,但我担心它是否有点过分。

首先,我的加密方法采用加密密码和盐,并将其全部放在我的数据库中的一个字符串(最多256个字符)中。除此之外,它实际上只使用我原来的128字符盐字符串的32个字符串加密密码,该函数随机选择。

    Public Function EncryptPassword(Password As String) As String

        Dim EPassword As String = String.Empty

        ' Generate Random 128 Base64 Salt String
        Dim Salt As String = Var.Simple3Des.GenerateSalt

        ' Divide into Substrings, and combine into splitable string
        Dim SmallSalts As String = Salt.Substring(0, 32) + "." + Salt.Substring(32, 32) + "." + Salt.Substring(64, 32) + "." + Salt.Substring(96, 32)

        ' Create the Salt Array
        Dim SaltArray = Split(SmallSalts, ".")

        ' Randomly Choose part of the array to actually use as salt
        Dim rnd As New Random
        Dim TrueSalt As String = SaltArray(rnd.Next(0, SaltArray.Length))

        ' Encrypt The Password
        Dim Security As New Var.Simple3Des(TrueSalt)
        EPassword = Security.EncryptData(Password)

        ' Divide up the salt and password and place into same string
        Dim PasswordString As String = Salt.Substring(0, 16) + EPassword.Substring(0, 6) + Salt.Substring(16, 112) + EPassword.Substring(6, EPassword.Length - 6)

        Return PasswordString

    End Function

然后我使用相同的公式来解密密码,尝试所有可能的子字符串组合,直到找到正确的字符串组合。

 Public Function DecryptPassword(NtID As String)

            ' Grab The Users Encrypted Password
            Dim UserID As Integer = GetAppUserID(NtID)
            Dim User As Users = Var.db.Web.Users.Find(UserID)
            Dim EPassword = User.Password

            ' Divided the Encrypted Password Into Salt and Actual Password
            Dim Salt As String = EPassword.Substring(0, 16) + EPassword.Substring(22, 112)
            Dim Password As String = EPassword.Substring(16, 6) + EPassword.Substring(134, EPassword.Length - 134)
            Dim DPassword As String = String.Empty

            ' Try each substring of Salt until password is Decrypted.
            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(0, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(32, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(64, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(96, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Return DPassword
        End Function

我的问题是 A.除了可能出现的性能问题外,这种方法还有哪些危险? B.这是否过度,是否正在腌制和存储这样的盐/密码甚至是必要的? C.如果这是不必要的,我可以使用其他方法来加盐和存储盐/密码吗?

1 个答案:

答案 0 :(得分:4)

这是一个很棒的网站,可以讨论您感兴趣的事情:https://crackstation.net/hashing-security.htm。他们所说的总体观点是:

  1. 如果你自己不小心,搞乱安全的算法实际上会降低他们的安全性。
  2. 这样做太过分了,因为您必须假设攻击者在破解您的数据库之前会获取您的代码,因此他们会知道您的方案。
  3. 只需存储哈希和盐即可。这就是哈希和盐的重点。

    4. 我经常使用crackstation页面作为散列安全性的一般参考。我强烈建议阅读它,因为它可能包含大量你会发现相关的信息,我在这里省略了。

相关问题
最新问题