PHP password_hash函数盐长21或22?
[英]PHP password_hash function salt length 21 or 22?
问题描述
Code: 
码:
echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-characters'] );
Result: 结果:
Warning: password_hash(): Provided salt is too short: 21 expecting 22
code: 码:
echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersA'] );
Result: 结果:
$2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32
code: 码:
echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersB'] );
$2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32
Question: 题:
As you see, by appending A and B to 21 character strings we created two different salts of 22 characters, but, the HASHES are same! 如您所见,通过将A和B附加到21个字符串,我们创建了两个不同的22个字符的盐,但是,HASHES是相同的! That is the 22nd character is ignored? 那是第22个字符被忽略了吗? If it is ignored then why does it ask for 22 character salt? 如果被忽略那么为什么要求22个字符盐?
2 个解决方案
解决方案1
2 已采纳 2014-10-10 10:54:42
BCrypt expects a salt of a given alphabet: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz . BCrypt期望给定字母表的盐: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 。 As you can see the '-' is not in it and that's why your salt is invalid. 你可以看到' - '不在其中,这就是你的盐无效的原因。 A valid salt you could see plaintext in the hash-value. 一个有效的盐,你可以在哈希值中看到明文。
In most cases it is best to omit the salt parameter. 在大多数情况下,最好省略salt参数。 Without this parameter, the function will generate a cryptographically safe salt, from the random source of the operating system. 如果没有此参数,该函数将从操作系统的随机源生成加密安全盐。
password_hash("stackoverflow", PASSWORD_DEFAULT);
Nevertheless you are right, when you say that BCrypt does not use the full 22 characters. 不过你是对的,当你说BCrypt不使用完整的22个字符时。 It seems that BCrypt only uses 126 bits of the salt instead of the 128bits you get with 22 base64 encoded characters. 似乎BCrypt只使用126位盐,而不是使用22位base64编码字符获得的128位。 For more information you can have a look at this discussion Why does crypt/blowfish generate the same hash... . 有关更多信息,您可以查看此讨论为什么crypt / blowfish生成相同的哈希值....
解决方案2
0 2014-12-20 14:53:06
First, please don't provide your own salt. 首先, 请不要提供自己的盐。 You're not going to do a better job generating it than the library does. 你不会比图书馆做得更好。 And using static salts (like you did in the example) will compromise security. 使用静态盐(就像您在示例中所做的那样) 将危及安全性。 Just let it generate its own salt (incidentally, I believe letting a salt in is the biggest mistake I made in that API). 让它产生自己的盐(顺便说一句,我认为让盐进入是我在该API中犯的最大错误)。
As far as 21 vs 22 characters, give this answer a read. 至于21对22个字符,请给出这个答案 。
Basically, the salt is base64 encoded. 基本上,salt是base64编码的。 This means that every 6 bits of the salt is encoded into 8 bits. 这意味着盐的每6位被编码为8位。 So every byte of encoded salt is 6 bits. 所以编码盐的每个字节都是6位。
21 characters is 126 bits. 21个字符是126位。 That means that only part of the 22nd character is used (the first 2 decoded bits). 这意味着只使用了第22个字符的一部分(前2个解码位)。 The reason you get the same hash with A and B , is that the leading 2 bits are the same for both characters. 你得到与A和B相同的散列的原因是两个字符的前2位是相同的。
In fact, there are only 4 unique hashes for the 22nd byte. 实际上,第22个字节只有4个唯一的哈希值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.