SHA512的功能为不同的输入返回相同的结果
[英]The Function of SHA512 returns the same result for different inputs
问题描述
I´m trying to implement a login screen where all your inputs get encrypted by SHA 512 and some minor tweaks to the function later (reversing the string, extending the length). 
我正在尝试实现一个登录屏幕,其中所有输入都由SHA 512加密,稍后对函数进行一些小调整(反转字符串,扩展长度)。 For my username the encryption works well but my passwords on the other hand gives me the same result, no matter what i type in. 对于我的用户名,加密效果很好但另一方面我的密码给了我相同的结果,无论我输入什么。
public static String password_encrypt(String input) {
try {
String password_ = input;
int iterations = 250000;
String salt = "salt";
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
char[] passwordChars = password_.toCharArray();
KeySpec spec = new PBEKeySpec(passwordChars, salt.getBytes(), iterations, 256);
SecretKey key = factory.generateSecret(spec);
byte[] passwordHash = key.getEncoded();
SecretKey secret = new SecretKeySpec(key.getEncoded(), "AES");
input = secret.toString();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidKeySpecException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return input;
}
And then i check in an array if there is a place where i can put the information and i if there is one its getting stored there. 然后我检查一个数组,如果有一个地方,我可以把信息,我,如果有一个它存储在那里。
for (int i = 0; i < username.length; i++) {
System.out.println("username " + username[i]);
if (name.equals(username[i])) {
System.out.println("Dieser Username ist bereits vergeben!");
break;
}
if ("empty".equals(username[i]) || null == username[i]) {
username[i] = name;
stelle = i;
System.out.println("Username wurde vergeben");
break;
}
else if (name.equals(username[i])) {
System.out.println("1234");
}
}
for (int j = 0; j < password.length; j++) {
System.out.println("Passwort " + password[j]);
if ("empty".equals(password[j]) || null == password[j]) {
System.out.println("Passwort wurde vergeben");
password[j] = input_;
stelle_pw = j;
break;
}
else if (input.equals(password[j])) {
System.out.println("123");
}
}
The arrays username[] and password[] were filled with "empty" or null by my constructor. 数组username []和password []由我的构造函数填充为“empty”或null。
My major problem is: no matter what the input for the password is, i am getting the same key: javax.crypto.spec.SecretKeySpec@fffea4cc 我的主要问题是:无论输入密码是什么,我都得到相同的密钥:javax.crypto.spec.SecretKeySpec@fffea4cc
This gives me a big security leak if i just compare the strings to decide if its the right one... 如果我只是比较字符串以确定它是否正确,这给我带来了很大的安全漏洞......
Little Disclamer: Some functions or variables are made with _ because i am dyslexic. 小免责声明:一些函数或变量是用_做的,因为我是阅读障碍者。 Please dont butcher me for not using the name convention. 请不要因为我没有使用名称约定而请求我。 T Ť
1 个解决方案
解决方案1
0 已采纳 2019-04-18 11:21:01
There are several things wrong with the provided code, first of all it uses a static weak salt. 提供的代码有几个问题,首先它使用静态弱盐。 While there are better algorithms to protect a password than PBKDF2 (➽ Argon2, BCrypt, SCrypt), it can be used if implemented correctly. 虽然有比PBKDF2(➽Argon2,BCrypt,SCrypt)更好的保护密码的算法,但如果正确实施则可以使用它。 There I would like to recommend the well known library Defuse , which makes password hashing and verification a breeze, it can be included as single class file. 在那里,我想推荐一个众所周知的库Defuse ,它使密码哈希和验证变得轻而易举,它可以作为单个类文件包含在内。
BTW a hashed password cannot be reversed, hashing is not the same as encryption. BTW哈希密码不能反转,哈希与加密不一样。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.