密码散列函数_密码散列的风险和挑战
密码散列函数
In a , password hashing was discusd as a way to curely store ur credentials in an application. Security is always a very controversial topic, much alike politics and religion, where many points of view exist and a ‘perfect solution’ for someone is not the same to others. In my opinion, breaking an application’s curity measures is just a matter of time. With computer power and complexity increasing every day, today’s cure applications will not be so cure tomorrow.
在上 ,讨论了密码哈希作为⼀种在应⽤程序中安全存储⽤户凭据的⽅法。 安全始终是⼀个备受争议的话题,与政治和宗教相似,存在许多观点,为某⼈提供“完美解决⽅案”与其他⼈并不相同。 我认为,破坏应⽤程序的安全措施只是时间问题。 随着计算机功能和复杂性每天都在增加,今天的安全应⽤程序明天将变得不那么安全。
For our readers who are not familiar with what a hash algorithm is, it’s nothing more than a one way function that maps data of variable length to data of fixed length. So if we analyze the above definition we need to understand the following requirements and characteristics of such algorithms:
对于不熟悉哈希算法是什么的读者,它不过是将可变长度数据映射到固定长度数据的 单向函数 。 因此,如果我们分析以上定义,则需要了解此类算法的以下要求和特征:
One way function: the output cannot be reverd using an efficient algorithm.
单向功能 :使⽤⾼效算法⽆法反转输出。
Maps data of variable length to data of fixed length: meaning that the input message space can be “infinite”, but the output space is not. This has the implication that 2 or more input messages can have the same hash. The smaller the output space, the greater the probability of a ‘collision’ between two input messages.
将可变长度的数据映射到固定长度的数据 :这意味着输⼊消息空间可以是“⽆限”,⽽输出空间则不能。 这意味着两个或更多输⼊消息可以具有相同的哈希。 输出空间越⼩,两条输⼊消息之间发⽣“冲突”的可能性就越⼤。
has confirmed practical collisions and ’s probabilities for reaching a collision are growing every day (more info in collision probability can be found by analyzing the classic ), so if we need to apply a hashing algorithm, we should u the ones that have greater output space (and a negligible collision probability), such as , , etc…
已经确认了实际的碰撞,并且达到碰撞的概率每天都在增长(有关碰撞概率的更多信息可以通过分析经典的来找到),因此,如果我们需要应⽤哈希算法,则应该使⽤具有更⼤的输出空间(并且碰撞概率可以忽略不计),例如 , 等。
They are also called ‘ functions’, meaning that the output of a hashing function should be indistinguishable from a true random number generator (or TRNG).
它们也称为“ 函数” ,这意味着散列函数的输出应与真正的随机数⽣成器 (或TRNG)没有区别。
点痣需要注意什么
为什么简单的哈希存储密码不安全 (Why simple hashing is incure for storing passwords)
The fact that the output of a hash function cannot be reverted back to the input using an efficient algorithm does not mean that it cannot be cracked. Databas containing hashes of common words and short strings are usually within our reach with a simple google arch. Also, common strings can be easily and quickly or cracked with a dictionary attack.
哈希函数的输出⽆法使⽤⾼效算法还原为输⼊这⼀事实,并不意味着⽆法破解它。 包含常见单词和短字符串哈希的数据库通常都可以通过简单的Google搜索来实现。 同样,常见的字符串可以通过字典攻击轻松快速地破解或破解。
⽰范 (Demonstration)
Here is a quick on how a tool like can crack passwords via sql injection by bruteforcing md5 hashes in a databa.
这是有关类的⼯具如何通过暴⼒破解数据库中的md5散列来通过sql注⼊破解密码的快速 。
Also, we could have just done the simplest of attacks… just grab the hash and … Chances are that the hash exists in an online databa. Examples of hash databas are:
另外,我们本来可以做最简单的攻击……只需要抓取哈希并将其 ……可能哈希存在于在线数据库中。 哈希数据库的⽰例包括:
We also have to consider that since 2 or more identical passwords will indeed have the same hash value, cracking one hash will automatically give you the passwords of every single ur that ud the same. Just to be clear, say you have thousands of urs, it is very likely that a fair amount of them will u (if passwords policies are not enforced) the infamous
‘123456’ password. The md5 hash value of that password is ‘e10adc3949ba59abbe56e057f20f883e’, so when you crack this hash (if you even have to) and ar
ch for all the urs who have this value in their password field, you will know that every single one of them ud the ‘123456’ password.
我们还必须考虑到,由于2个或更多相同的密码确实具有相同的哈希值,因此破解⼀个哈希将⾃动为您提供使⽤相同密码的每个⽤户的密码。 明确地说,假设您有成千上万的⽤户,很可能其中很⼤⼀部分将使⽤臭名昭著的“ 123456”密码(如果未实施密码策略)。 该密码的md5哈希值是'e10adc3949ba59abbe56e057f20f883e',因此,当您破解此哈希(如果需要的话)并在其密码字段中搜索所有具有此值的⽤户时,您将知道他们每个⼈都使⽤过“ 123456”密码。
为什么加盐的哈希值对于存储密码不安全 (Why salted hashes are incure for storing passwords)
To mitigate this attack, became common but obviously are not enough for today’s computing power, especially if the salt string is short, which makes it brute-forceable.
为了减轻这种攻击, 变得很普遍,但显然不⾜以提供当今的计算能⼒,尤其是如果盐串较短,这会使它成为蛮⼒的。
The basic password/salt function is defined as:
基本的密码/盐功能定义为:
f(password, salt) = hash(password + salt)
经典语录社会现实句子f(password, salt) = hash(password + salt)
In order to mitigate a brute-force attack, a salt should be as long as 64 characters, however, in order to authenticate a ur later on, the salt must be stored in plain text inside the databa, so:
为了减轻暴⼒攻击,salt的长度应为64个字符,但是,为了以后以后对⽤户进⾏⾝份验证,salt必须以纯⽂本格式存储在数据库中,因此:if (hash([provided password] + [stored salt]) == [stored hash]) then ur is authenticated
Since every ur will have a completely different salt, this also avoids the problem with simple hashes, where we could easily tell if 2 or more urs are using the same password; now the hashes will be different. We can also no longer take the password hash directly and try to google it. Also, with a long salt, a brute-force attack is improbable. But, if an attacker gets access to this salt either by an sql injection attack or direct access to the databa, a brute-force or dictionary attack becomes probable, especially if your urs u common passwords (again, like ‘123456’):
由于每个⽤户使⽤的密码完全不同,因此也避免了简单哈希的问题,我们可以轻松判断两个或两个以
上的⽤户是否使⽤相同的密码; 现在,哈希值将有所不同。 我们也⽆法再直接获取密码哈希并尝试使⽤Google进⾏搜索。 ⽽且,如果盐分过长,就不可能进⾏暴⼒攻击。但是,如果攻击者通过sql注⼊攻击或直接访问数据库来访问此盐,则可能会发⽣暴⼒破解或字典攻击,尤其是在您的⽤户使⽤通⽤密码的情况下(同样,例如“ 123456”):
Generate some string or get entry from dictionary
Concatenate with salt
Apply hash algorithm
If generated hash == hash in databa then Bingo
el continue iterating
不稳定因素
But even if one password gets cracked, that will not automatically give you the password for every ur who might have ud it, since no ur should have the same stored hash.
但是,即使破解了⼀个密码,也不会⾃动为每个可能使⽤过该密码的⽤户提供密码,因为任何⽤户都不应拥有相同的存储哈希值。
随机性问题 (The randomness issue)
In order to generate a good salt, we should have a good random number generator. If php’s rand() function automatically popped up in your mind, forget it immediately.
为了产⽣好的盐,我们应该有⼀个好的随机数发⽣器。 如果您脑海中突然弹出php的rand()函数,请⽴即忘记它。
There is an excellent article about randomness in . Simply put, a computer can’t think of random data by itlf. Computers are said to be , meaning that every single algorithm a computer is able to run, given the exact same input, will always produce the same output.
有⼀篇关于随机性的出⾊⽂章。 简⽽⾔之,计算机本⾝⽆法考虑随机数据。 据说计算机是 ,这意味着,只要输⼊完全相同,计算机能够运⾏的每个算法都将始终产⽣相同的输出。
When a random number is requested to the computer, it typically gets inputs from veral sources, like environment variables (date, time, # of bytes read/written, uptime…), then apply some calculations on them to produce random data. This is the reason why random data given by an algorithm is called pudo random and thus it is important to differentiate from a true random data so
urce. If we are somehow able to recreate the exact conditions prent at the moment of the execution of a pudo-random number generator (or PRNG), we will automatically have the original generated number.
当向计算机请求⼀个随机数时,它通常从多个来源获取输⼊,例如环境变量(⽇期,时间,读取/写⼊的字节数,正常运⾏时间...),然后对它们进⾏⼀些计算以⽣成随机数据。 这就是为什么将算法提供的随机数据称为伪随机的原因 ,因此与真实的随机数据源区分开很重要。 如果我们能够以某种⽅式重新创建在执⾏伪随机数⽣成器(或PRNG)时出现的确切条件,我们将⾃动获得原始的⽣成数。
Additionally, if a PRNG is not properly implemented, it is possible to discover patterns in the generated data. If patterns exist, we can predict the outcome… Take for instance the ca of PHP’s rand() function on Windows as documented . While it is not clear which PHP or Windows version is ud, you can immediately tell there is something wrong by looking at the bitmap generated by using rand():
另外,如果未正确实现PRNG,则有可能发现所⽣成数据中的模式。 如果存在模式,我们可以预测结果……例如, 记录 Windows上PHP 的rand()函数的情况。 虽然不清楚使⽤哪个PHP或Windows版本,但是通过查看使⽤rand()⽣成的位图,您可以⽴即发现问题所在:
保温杯10大品牌
费用申请单模板Compare to the output image from a TRNG:
凄美爱情
雅思词汇与TRNG的输出图像进⾏⽐较:
Even though the issue has been addresd on PHP >= 5, rand() and even mt_rand() are still considered highly inadequate for curity related purpos.
即使已在PHP> = 5上解决了该问题,对于安全性相关的⽬的,仍然认为rand()甚⾄mt_rand()仍然不⾜。
If you need to generate random data, plea u available as of PHP 5 >= 5.3.0, it even has the crypto_strong flag that will tell you if the bytes are cure enough.
如果需要⽣成随机数据,请使⽤从PHP 5> = 5.3.0开始可⽤的 ,它甚⾄具有crypto_strong标志,该标志将告诉您字节是否⾜够安全。Here is a quick code sample to generate random strings using openssl_random_pudo_bytes()
这是⼀个使⽤openssl_random_pudo_bytes()⽣成随机字符串的快速代码⽰例
<?php
function getRandomBytes ($byteLength)
{
/*
* Checks if openssl_random_pudo_bytes is available
*/
if (function_exists('openssl_random_pudo_bytes')) {
$randomBytes = openssl_random_pudo_bytes($byteLength, $cryptoStrong);
if ($cryptoStrong)
return $randomBytes;
}
/*
* if openssl_random_pudo_bytes is not available or its result is not
* strong, fallback to a less cure RNG
夕阳美女
*/
$hash = '';
$randomBytes = '';
/*
* On linux/unix systems, /dev/urandom is an excellent entropy source, u
* it to ed initial value of $hash
*/
if (file_exists('/dev/urandom')) {
$fp = fopen('/dev/urandom', 'rb');
if ($fp) {
if (function_exists('stream_t_read_buffer')) {
stream_t_read_buffer($fp, 0);
}
$hash = fread($fp, $byteLength);
fclo($fp);
}
}
/*
* U the less cure mt_rand() function, but never rand()!
*/
for ($i = 0; $i < $byteLength; $i ++) {
$hash = hash('sha256', $hash . mt_rand());
$char = mt_rand(0, 62);
$randomBytes .= chr(hexdec($hash[$char] . $hash[$char + 1]));
}
return $randomBytes;
}
如果操作正确,密码扩展会很有效 (Password stretching can be effective if done right)
To further mitigate brute-force attacks, we can implement the password stretching technique. This is just an iterative or recursive algorithm that calculates a hash value over and over in itlf, usually tens of thousands of times (or more).
为了进⼀步缓解暴⼒攻击,我们可以实施密码扩展技术。 这只是⼀种迭代或递归算法,它本⾝会⼀遍⼜⼀遍地计算哈希值,通常是数万次(或更多)。
