简体繁体 English

从用户的密码和现时值中散列密码

[英]Hashing a password from user's password and nonce value

原文 2013-11-11 16:03:52 5 2 c#/ hash/ passwords/ c++-cli/ nonce

I'm working with some third party library (written in C#, it's documentation is a bit poor...) Thing is, for one of it's " Login " authentication functions I need to provide it with a hashed password . 我正在使用一些第三方库（用C＃编写，它的文档有点差...）问题是，对于其中一个“ 登录 ”身份验证功能， 我需要为其提供哈希密码 。

I'm still a bit inexperienced on all this hashing thing, so maybe someone here can help me out? 我对这些杂凑的东西仍然缺乏经验，所以也许有人可以帮助我吗？

Library documentation says: " generate the password hash, from the user's provided password and the Nonce value " This "nonce" value looks something like this: "Xi8SCdy7FarblZe61qP9ijginknhPe15" (32bit hash?) 库文档说：“ 根据用户提供的密码和Nonce值生成密码哈希 ”。“ nonce”值看起来像这样：“ Xi8SCdy7FarblZe61qP9ijginknhPe15”（32位哈希？）

But I have no clue about what kind of hashing algorithm should be used 但是我不知道应该使用哪种哈希算法

Does anyone have any suggestions or examples how this could be done in C# or C++/CLI? 有没有人有任何建议或示例可以在C＃或C ++ / CLI中完成？ Thanks. 谢谢。

2 个解决方案

A nonce is a number that is used only once, in this case, for authentication. 在这种情况下，现时数是仅使用一次的数字，用于身份验证。 Say, if an attacker got the hashed password during authentication, he would still not need the original password, he could just use the hash and it would have the same effect, server-side. 假设攻击者在身份验证过程中获得了哈希密码，那么他仍然不需要原始密码，他只需使用哈希即可，并且在服务器端也具有相同的效果。 With a nonce, the hash is made using a value that generally would not be replicated for a different hash. 对于随机数，使用通常不会为其他哈希复制的值进行哈希。 You can find more info here: http://tyleregeto.com/article/a-guide-to-nonce 您可以在此处找到更多信息： http : //tyleregeto.com/article/a-guide-to-nonce

Generally, the server sends a nonce to the client, the client combines that nonce with the password and runs that through a hashing algorithm. 通常，服务器将随机数发送给客户端，客户端将随机数与密码结合在一起并通过哈希算法运行。 Then the client sends the result to the server, who runs the same algorithm with the same nonce onthe password it has stored and compares the results. 然后，客户端将结果发送到服务器，服务器对服务器存储的密码使用相同的随机数运行相同的算法，并比较结果。

There are two questions I think: what to do with the nonce, and how to hash. 我认为有两个问题：如何处理随机数，以及如何哈希。 The second one is the most important one, because I don't think anyone can answer it, apart from digging to the library. 第二个是最重要的一个，因为除了挖掘到图书馆外，我认为没有人能回答。

The first part has several variations which are (at least I think) not all equally probably 第一部分有几个变体（至少我认为）可能不尽相同

concatenate password and hash, and hash te result 连接密码和哈希，以及哈希结果
hash the password, hash the nonce, concatenate those 散列密码，散列随机数，连接那些
hash te password, concatenate with nonce 哈希密码，与nonce连接

I don't think that sending the password unhashed is a valid option. 我认为发送未散列的密码不是有效的选择。 The 3rd options feels strange as well, because why not ask for them as separate entities? 第三个选项也感觉很奇怪，因为为什么不要求它们作为单独的实体？ So I'd say option one and option two are the most likely, with number 1 the most likely because of the wording: 所以我会说选项一和选项二是最有可能的，因为这样的说法，数字一最有可能出现：