堆栈内存溢出
  简体   繁体   English

SHA256 是否被认为不安全?- SonarQube 质量门 - 我该如何解决?

[英]Is SHA256 considered insecure?- SonarQube Quality Gate - How can I fix it?

 原文  2020-07-15 10:57:54       c#/ security/ cryptography/ sonarqube/ md5

问题描述

I have below piece of code我有下面的代码

        private static string sensitiveKey = "<REPLACE_WITH_KEY>"  

        public static string Encrypt(string input)
        {
            // Get the bytes of the string
            byte[] passwordBytes = Encoding.UTF8.GetBytes(sensitiveKey);
            // Hash the password with SHA256
            passwordBytes = SHA256.Create().ComputeHash(passwordBytes);
            byte[] bytesEncrypted = EncryptStringToBytes_Aes(input, passwordBytes);
            string result = Convert.ToBase64String(bytesEncrypted);
            return result;
        }

SonarQube says SonarQube 说

Cryptographic hash functions are used to uniquely identify information without storing their original form.加密 hash 函数用于唯一标识信息而不存储其原始形式。 When not done properly, an attacker can steal the original information by guessing it (ex: with a rainbow table), or replace the original data with another one having the same hash.如果做得不好,攻击者可以通过猜测来窃取原始信息(例如:使用彩虹表),或者用另一个具有相同 hash 的数据替换原始数据。

Also

use only hashing algorithms which are currently known to be strong.仅使用目前已知的强大的散列算法。 Avoid using algorithms like MD5 and SHA1 completely in security contexts.避免在安全上下文中完全使用MD5SHA1等算法。

So question is, How can I improve my code so that it can be secure?所以问题是,我怎样才能改进我的代码以使其安全?

Any samples out thr?有样品吗?

1 个解决方案

解决方案1
 2  2020-07-20 09:21:15

You could try adding a salt to the hashed password since unsalted hashes tend to be more vulnerable to dictionary and rainbow table attacks.您可以尝试在散列密码中添加盐,因为未加盐的散列往往更容易受到字典和彩虹表攻击。

hash("hello") =
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

hash("hello" + "QxLUF1bgIAdeQX") = 
9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1

hash("hello" + "bv5PehSMfV11Cd") = 
d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab

The code above is an example of how salting usually works.上面的代码是加盐通常如何工作的示例。 You concatenate a fixed string to the password and then hash the result.您将固定字符串连接到密码,然后 hash 结果。 The salt should be of fixed length and should never be reused .盐应该是固定长度的,并且永远不应该被重复使用 This is how it could look like in your case:这就是您的情况:

        private static string salt = "<REPLACE_WITH_FIXED_LENGTH_SALT>";
        private static string sensitiveKey = "<REPLACE_WITH_KEY>";  
        private static string salted_key = salt + sensitiveKey;

        public static string Encrypt(string input)
        {
            // Get the bytes of the string
            byte[] passwordBytes = Encoding.UTF8.GetBytes(salted_key);
            // Hash the password with SHA256
            passwordBytes = SHA256.Create().ComputeHash(passwordBytes);
            byte[] bytesEncrypted = EncryptStringToBytes_Aes(input, passwordBytes);
            string result = Convert.ToBase64String(bytesEncrypted);
            return result;
        }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么我不能使用 SHA256 创建 jwt 令牌? - Why can't I create a jwt token with SHA256? 如何(正确)使用RSA和SHA256与.NET验证文件? - How can I (properly) verify a file using RSA and SHA256 with .NET? 如何通过 .NET 使用 RSA 和 SHA256 对文件进行签名? - How can I sign a file using RSA and SHA256 with .NET? 如何在经典ASP和ASP.NET之间匹配SHA256 - How can I Match SHA256 between classic asp and asp.net 如何指定计算SHA256哈希的密钥? - How do I specify the key for computing a SHA256 hash? 如何使用 Salt 创建 SHA256 哈希? - How do I create a SHA256 Hash with Salt? 如何正确创建SHA256哈希? - How to properly create a SHA256 Hash? sha256:如何使用算法作为输入 - sha256 : How to use the algorithm as input 如何获得SHA256证书指纹? - How to get SHA256 certificate thumbprint? 如何使用Dart sha256和C#sha256获得相同的结果? - How to get same result with Dart sha256 and C# sha256?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM