C#哈希密码创建盐问题
[英]C# hash password create salt question
问题描述
If I create salt by using something like this: 
如果我通过使用类似这样的方法来创建盐:
public class User
{
private const int Hash_Salt_Length = 8;
private byte[] saltBytes = new byte[Hash_Salt_Length];
public User()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetNonZeroBytes(saltBytes);
}
....
}
The saltBytes bytes array will be different for each session (restart the application). 每个会话的saltBytes字节数组将有所不同(重新启动应用程序)。 How can I check password to allow user login our application? 如何检查密码以允许用户登录我们的应用程序?
3 个解决方案
解决方案1
8 已采纳 2010-06-11 19:03:52
You need to store the salt in the database, along with the password hash. 您需要将盐以及密码哈希存储在数据库中。
Note that you shouldn't be calling GetNonZeroBytes , as that provides less randomness. 请注意,您不应调用GetNonZeroBytes ,因为它提供的随机性较小。
解决方案2
3 2010-06-11 19:05:05
如果每次重新启动应用程序时盐值都发生变化,则必须将其存储在数据库中(在用户记录中)。
解决方案3
1 2010-06-11 19:39:11
The salt is a static thing that you generate when you create you user record, and you store it along with the user ID and the hash of the password + salt. salt是在创建用户记录时生成的静态内容,并将其与用户ID和密码+ salt的哈希一起存储。
When the user tries to logon, you use the ID to lookup the salt, combine that with their password, hash it and compare to the stored hash. 当用户尝试登录时,您可以使用ID查找盐,将盐与他们的密码结合起来,对其进行哈希处理并与存储的哈希进行比较。 If they match, they're in. 如果他们匹配,他们就进来了。
The salt exists so that an attacker with access to your security database cannot pre-prepare a database of password -> hash mappings, and then perform simple reverse lookups to try to determine passwords. 这种盐的存在是为了使有权访问您的安全数据库的攻击者无法预先准备密码->哈希映射的数据库,然后执行简单的反向查找来尝试确定密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.