过去,在处理密码时,我总是将盐和哈希密码分别存储在数据存储区中。今天,我正在寻求更新一些旧代码以使用RFC 2898哈希值。我从 System.Web.Helpers 遇到了 Crypto.Hash 方法。看起来这些将为我完成大部分繁重的工作。有 GenerateSalt(), HashPassword()和 VerifyHashedPassword()方法。 HashPassword()和 VerifyHashedPassword()方法的取值不加盐。 HashPassword()方法的MSDN文档说:
In the past when dealing with passwords I've always stored a salt and a hashed password separately in my data store. Today I was looking to update some legacy code to use a RFC 2898 hash value. I came across the Crypto.Hash methods from System.Web.Helpers. It looks like these will do most of the heavy lifting for me. There are GenerateSalt(), HashPassword(), and VerifyHashedPassword() methods. The HashPassword() and VerifyHashedPassword() methods don't take a salt value. The MSDN documentation for HashPassword() method says:
生成的哈希字节流的格式为{0x00, salt,subkey},在返回之前是base-64编码的。
"The format of the generated hash bytestream is {0x00, salt, subkey}, which is base-64 encoded before it is returned."
我需要担心盐吗?文档似乎说会自动生成盐并将其存储在以64为底的编码值中?这样对吗?我需要存储的是从 HashPassword()返回的字符串?
Do I need to worry about a salt? The documentation seems to say that a salt will be generated automatically and stored in the base-64 encoded value? Is this correct? All I need to store is the string returned from HashPassword()?
推荐答案答案
所有密码都需要加盐,以便安全地对它们进行哈希处理。但是,在这种情况下,您是正确的。 System.Web.Helpers.Crypto会为您创建盐。 您不需要创建一个。它存储在Crypto.HashPassword()返回的字符串中。
Answer
All passwords need to be salted in order to hash them securely. In this case, however, you are correct. System.Web.Helpers.Crypto takes care of creating a salt for you. You don't need to create one. It is stored in the string returned by Crypto.HashPassword().
所有您需要做的就是这样。
All you need to do is something like this.
using System.Web.Helpers; public void SavePassword(string unhashedPassword) { string hashedPassword = Crypto.HashPassword(unhashedPassword); //Save hashedPassword somewhere that you can retrieve it again. //Don't save unhashedPassword! Just let it go. } public bool CheckPassword(string unhashedPassword) { string savedHashedPassword = //get hashedPassword from where you saved it return Crypto.VerifyHashedPassword(savedHashedPassword, unhashedPassword) }更多信息
- 如果您想查看Crypto类的源代码,可以查看它此处。
- 和此处是该课程的一个不错的博客,有些背后的想法。
- If you would like to see the source code for the Crypto class you can view it here.
- And here is a good blog on the class and some of the ideas behind it.
More Information
更多推荐
System.Web.Helpers.Crypto
发布评论