堆栈内存溢出
  简体   繁体   English

PHP-使用一次性密码存储加密密码

[英]PHP - Using a one-time pad to store encrypted passwords

 原文  2013-10-08 18:29:05       php/ security/ encryption/ passwords

问题描述

Given that a one time pad is unbreakable (to the best of my knowledge, please feel free to correct me), if I were to generate a pad, and use this same exact pad to encrypt passwords for a website when a user is created and store the encrypted password in my database, is this a safe method? 鉴于一次性垫是坚不可摧的(据我所知,请随时纠正我),如果我要生成一个垫,并在创建用户时使用相同的垫来加密网站的密码,将加密的密码存储在我的数据库中,这是一种安全的方法吗? In other words, is it ok to keep this same pad forever as long as no one ever sees what the pad is? 换句话说,只要没有人看到该防护垫是什么,就可以永久保留同一防护垫吗?

Should I instead use something like mcrypt? 我应该改用mcrypt之类的东西吗?

2 个解决方案

解决方案1
 3  2013-10-08 19:26:07

What you would do with the one-time pad is encrypting the password. 使用一次性键盘的操作是对密码进行加密 Encrypting passwords is not optimal, because however you do it, you will be able to decrypt the password. 加密密码不是最佳方法,因为无论您怎么做,您都可以解密密码。 Your application itself must have access to the key (or the keys since every one-time pad can only encrypt a single password), so can do an attacker if he has enough privileges. 您的应用程序本身必须有权访问密钥(或密钥,因为每个一次性密码只能加密一个密码),因此如果攻击者具有足够的特权,也可以这样做。

That's why we use hash functions to store passwords, they are one-way, you can check if an entered password results in the same hash, but you cannot get the original password back. 这就是为什么我们使用哈希函数存储密码的原因,它们是单向的,您可以检查输入的密码是否导致相同的哈希,但是您无法找回原始密码。 PHP offers the function password_hash() to generate such hash-values, it handles all the pitfalls with generating random salts and uses the slow BCrypt to hash passwords. PHP提供了函数password_hash()来生成此类哈希值,它通过生成随机盐来处理所有陷阱,并使用慢速BCrypt来哈希密码。

解决方案2
 1 已采纳  2013-10-08 19:47:27

The "one time" in one time page means that a given key is only used to encrypt a single plaintext. 一个时间页中的“一次”表示给定密钥仅用于加密单个明文。 In other words, you have a separate pad for each item you need to encrypt. 换句话说,您需要加密的每个项目都有一个单独的填充板。 That's the thing that makes them unbreakable. 那就是使它们牢不可破的原因。 Since those separate pads have to be stored somewhere, you are vulnerable. 由于这些单独的护垫必须存放在某个地方,因此您很容易受到伤害。 Instead, use a widely used and tested library (such as mcrypt) and encrypt your passwords using a salt 相反,请使用经过广泛使用和测试的库(例如mcrypt),并使用salt加密密码

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP一次性密码? - PHP one-time password? 如何生成一次性密码列表? - How do I generate a list of one-time passwords? 条纹结帐一次性付款 php? - Stripe checkout one-time payments php? 在PHP中显示加密密码 - Displaying Encrypted Passwords in PHP 使用jquery的.error()进行多次PHP数据库一次更新 - Multiple one-time PHP database updates using jquery's .error() MySQL Row存储加密的密码 - MySQL Row to store encrypted passwords 从PHP脚本使用AT安排一次性事件不起作用 - Scheduling one-time events with AT from PHP script not working 在PHP中通过mcrypt生成一次性令牌? - Generating one-time tokens via mcrypt in php? 使用唯一密码一次性下载 PHP - PHP one time downloads with unique passwords 建立一次性链接 - Make a one-time link
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM