如何正确散列密码
[英]How to properly hash a password
问题描述
I want to re-create the MyBB hashing process so I can use its database to authenticate users on a 3rd party app (written on C#).
我想重新创建 MyBB 散列过程,以便我可以使用它的数据库来验证 3rd 方应用程序(用 C# 编写)上的用户。
MyBB uses: MyBB 使用:
md5(md5($salt).password)
My problem is that the result I get on C# is nowhere similar to the one MyBB gets.我的问题是我在 C# 上得到的结果与 MyBB 得到的结果完全不同。
What I've done on C#:我在 C# 上做了什么:
public string HashPass(string password, string salt)
{
MD5 md5 = new MD5CryptoServiceProvider();
byte[] saltHash =md5.ComputeHash(System.Text.Encoding.ASCII.GetBytes(salt));
string passwordAndSalt = password + System.Text.Encoding.ASCII.GetString(saltHash);
byte[] finalHash = md5.ComputeHash(System.Text.Encoding.ASCII.GetBytes(passwordAndSalt));
string final = System.Text.Encoding.ASCII.GetString(finalHash);
return final;
}
The result I get from using that function for password "Test123" and salt "0fYR6mEE" (gathered from MyBB db) is: "??R?????s??"我使用该函数作为密码“Test123”和盐“0fYR6mEE”(从 MyBB db 收集)得到的结果是:“??R?????s??” while the actual result should look like "VaHffsyzJeEa4dB3bbMWeUlJObAfN5I9rf1CuNRXCa6xPJTzXL".而实际结果应该类似于“VaHffsyzJeEa4dB3bbMWeUlJObAfN5I9rf1CuNRXCa6xPJTzXL”。
Most likely I'm missing something obvious, sorry about that.很可能我遗漏了一些明显的东西,对此感到抱歉。
1 个解决方案
解决方案1
0 2019-04-16 20:35:10
There are unknowns here.这里有未知数。 Which encoding does MyBB use to the password bytes? MyBB 对密码字节使用哪种编码? It could be ASCII, ANSI, or UTF8 or it could get the string bytes directly, ie, without encoding.它可以是 ASCII、ANSI 或 UTF8,也可以直接获取字符串字节,即无需编码。 So I will write it partly as pseudo code所以我会把它部分写成伪代码
byte[] passwordBytes = GetBytes(password); // Where you have to define GetBytes
byte[] saltBytes = System.Convert.FromBase64String(salt); // Assuming it is given as base64
// Merge the password bytes and the salt bytes
var mergedBytes = new byte[passwordBytes.Length + saltBytes.Length];
Array.Copy(passwordBytes, mergedBytes, passwordBytes.Length);
Array.Copy(saltBytes, 0, mergedBytes, passwordBytes.Length, saltBytes.Length);
var md5 = new MD5CryptoServiceProvider();
byte[] finalHash = md5.ComputeHash(mergedBytes);
string final = System.Convert.ToBase64String(finalHash);
Note that I'm merging the password bytes and the salt bytes, not the password string and the salt string.请注意,我正在合并密码字节和盐字节,而不是密码字符串和盐字符串。 Then the MD5 it taken only once from these merged bytes.然后它只从这些合并的字节中取出一次 MD5。
But I'm not sure what md5(md5($salt).password) does.但我不确定md5(md5($salt).password)是做什么的。 Is md5() returning the the hash as base64 string already? md5()是否已经将哈希作为 base64 字符串返回? Maybe you would have to convert the salt from base64 to bytes[] , then get the MD% hash, convert it into a base64 string and then concatenate it with the password string.也许您必须将盐从 base64 转换为bytes[] ,然后获取 MD% 哈希,将其转换为 base64 字符串,然后将其与密码字符串连接。 Then get the bytes from this combined string, do the hash again and convert the result to a base64 string again.然后从这个组合字符串中获取字节,再次进行散列并将结果再次转换为 base64 字符串。
You would have to dig deeper into the source code of MyBB to be sure.您必须深入挖掘 MyBB 的源代码才能确定。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.