堆栈内存溢出
  简体   繁体   English

如何在 PHP 中安全地生成 SSHA256 或 SSHA512 哈希?

[英]How to securely generate SSHA256 or SSHA512 hashes in PHP?

 原文  2011-07-15 21:48:38       php/ hash/ cryptography/ ssha

问题描述

I am working on a web administration module for mailservers (it's open source if you'd like to take a look).我正在为邮件服务器开发一个 web 管理模块(如果你想看看它是开源的)。

For that, I need to be able to generate hashed password that is readable by Dovecot .为此,我需要能够生成Dovecot可读的散列密码。 As described on their wiki , their recommended password hashing scheme is SSHA256 (the extra S is for salted).他们的 wiki 所述,他们推荐的密码散列方案是 SSHA256(额外的 S 用于盐渍)。

It's also explained that this could be reasonably simple to implement with something like this PHP code:还解释说,使用类似 PHP 代码的代码可以相当简单地实现:

$salt = 'generate_a_salt_somehow';
$hash = hash('sha256', $password . $salt);

However, from what I've read about cryptography, that is a rather naíve way to generate salted hashes, but if you're doing it wrong when typing AES in your source code , I figured the same could be true in this case.然而,从我读过的关于密码学的内容来看,这是一种生成加盐哈希的相当幼稚的方法,但如果你在源代码中输入 AES时做错了,我认为在这种情况下也是如此。

So if you have insight into cryptography, I'd love to hear about the most secure way to do this, be it mcrypt, mhash or whatever.因此,如果您对密码学有深入了解,我很想听听最安全的方法,无论是 mcrypt、mhash 还是其他任何方法。

2 个解决方案

解决方案1
 8 已采纳  2011-07-15 21:58:30

The Dovecot wiki page you linked to explains what the exact hash format Dovecot uses is.您链接到的 Dovecot wiki 页面解释了 Dovecot 使用的确切 hash 格式是什么。 You don't have any choice in the matter -- Dovecot has its expectations on what the hash will look like, so you have to play by its rules:在这件事上你别无选择——Dovecot 对 hash 的外观有它的期望,所以你必须遵守它的规则:

For most of the salted password schemes (SMD5, SSHA*) the salt is stored after the password hash and its length can vary.对于大多数加盐密码方案(SMD5、SSHA*),盐存储在密码 hash 之后,其长度可以变化。 When hashing the password, append the salt after the plaintext password, eg: SSHA256(pass, salt) = SHA256(pass + salt) + salt.对密码进行哈希处理时,append 是明文密码后的盐,例如:SSHA256(pass, salt) = SHA256(pass + salt) + salt。

So an appropriate password generation function in PHP might look like:因此,PHP 中的适当密码生成 function 可能如下所示:

$hash = "{SSHA256}" . base64_encode(hash('sha256', $password . $salt) . $salt);

解决方案2
 7  2015-03-29 21:47:33

Password generation function in PHP: PHP 中的密码生成 function:

$hash = "{SSHA256}".base64_encode(hash('sha256', $password.$salt, true).$salt);

Necessarily "true" - the third parameter...必然是“真”——第三个参数……

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 针对PHP中的SSHA256哈希验证密码 - Validate a password against an SSHA256 hash in PHP PHP中的OpenLDAP Unsalt SSHA userPassword - OpenLDAP Unsalt SSHA userPassword in PHP PHP中的AES-256和安全地存储密钥? - AES-256 in PHP and securely storing keys? SHA512哈希在Android,PHP和JavaScript上有所不同 - SHA512 hashes differ on android, php and javascript 如何安全地存储哈希? - How do I securely store hashes? 如何使用PHP为Dovecot生成盐腌的SHA-512密码哈希 - How to generate a salted SHA-512 password hash for Dovecot with PHP JS和PHP如何安全生成相同的私钥? - How can I securely generate the same private key in JS and PHP? 在PHP中为AES 256生成密钥 - Generate a key in PHP for AES 256 SHA512在PHP中生成随机数 - SHA512 to generate random numbers in PHP PHP:如何生成字符串的 HmacSHA256 签名 - PHP: How can I generate a HmacSHA256 signature of a string
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM