简体繁体 English

使用 SHA-512 和 salt 到 hash MD5 散列密码？

[英]Use SHA-512 and salt to hash an MD5 hashed password?

原文 2012-04-05 12:09:05 2 4 java/ security/ hash/ sha

I am working on a system that has been hashing user passwords with MD5 (no salt).我正在开发一个使用 MD5（无盐）散列用户密码的系统。 I want to store the passwords more securely using SHA-512 and a salt.我想使用 SHA-512 和盐更安全地存储密码。

While this is easy enough to implement for future passwords, I'd like to also retrofit the existing MD5 hashed passwords, preferably without forcing all the users to change their passwords.虽然这对于未来的密码来说很容易实现，但我还想 retrofit 现有的 MD5 散列密码，最好不要强迫所有用户更改他们的密码。 My idea is to just use SHA-512 and and an appropriate salt to hash the existing MD5 hash. I can either then set some flag in the database that indicates which passwords were hashed from plain text, and which ones were hashed from an MD5 hash. Or I could just try both when authenticating users.我的想法是只使用 SHA-512 和适当的 salt 到 hash 现有的 MD5 hash。然后我可以在数据库中设置一些标志，指示哪些密码是从纯文本散列的，哪些是从 MD5 hash 散列的. 或者我可以在对用户进行身份验证时尝试两者。 Or even just hash new passwords with MD5 and then SHA-512/salt, so they can be treated the same as old passwords.或者甚至只是 hash 个新密码，先是 MD5，然后是 SHA-512/salt，因此它们可以像旧密码一样对待。

Programmatically, I don't think this will be a problem, but I don't know enough about encryption/hashing to know if I'm compromising the quality of the hash in any way by applying a SHA-512/salt hash to a password that was already MD5 hashed.在编程上，我不认为这会是一个问题，但我对加密/散列的了解还不够多，不知道我是否以任何方式通过将 SHA-512/salt hash 应用于已经过 MD5 散列的密码。 My first instinct is that if anything, it would be even stronger, a very light key stretching.我的第一直觉是，如果有的话，它会更强大，一个非常轻的键拉伸。

My second instinct is that I don't really know what I'm talking about, so I'd better get advice.我的第二个直觉是我真的不知道我在说什么，所以我最好寻求建议。 Any thoughts?有什么想法吗？

4 个解决方案

Function composition with cryptographic primitives is dangerous and should not be done if avoidable. Function 与密码原语的组合是危险的，如果可以避免则不应这样做。 The common solution for your type of problem is to keep both hashes for a migration period, using the new hash where possible and transparently upgrading old passwords (when you check a password and it matches, rehash it with the new algorithm and store it)针对您的问题类型的常见解决方案是在迁移期间保留两个哈希值，尽可能使用新的 hash 并透明地升级旧密码（当您检查密码并且它匹配时，使用新算法重新哈希并存储它）

This won't work if you have a challenge-response based scheme where you don't get to see the plaintext password, but since you seem to have a stored salt that does not change, I assume your application does the hashing.如果您有一个基于质询-响应的方案，您看不到明文密码，那么这将不起作用，但由于您似乎有一个不会改变的存储盐，我假设您的应用程序会进行哈希处理。

If you hash with MD5 first, you will only have the spread of MD5 (128 bit).如果你 hash 先用 MD5，你将只有 MD5（128 位）的传播。 A large fraction of the space of SHA512 will not be covered by your passwords. SHA512 的很大一部分空间不会被您的密码覆盖。 So you don't take advantage of SHA512, but it won't be worse than MD5.所以你不用SHA512，但也不会比MD5差。

You have the benefit that if someone obtains the SHA512 hash and doesn't know the salt (this you have to enforce somehow) can't look up the hashes and get the passwords -- something that would be possible with the MD5 database you have now.您的好处是，如果有人获得 SHA512 hash 并且不知道盐（您必须以某种方式强制执行）无法查找哈希并获取密码 - 您拥有的 MD5 数据库可能会这样做现在。

So yes, you can just rehash the existing MD5 passwords.所以是的，您可以重新散列现有的 MD5 密码。 But as explained in the first paragraph, it would be a bad idea to apply MD5 to all new passwords as well and then hash them as SH512.但正如第一段中所解释的，将 MD5 也应用于所有新密码然后将它们作为 SH512 hash 应用是一个坏主意。 A easy implementation would be to have a boolean 'salted' field in the database next to the hashes (but don't put the salt there).一个简单的实现是在哈希旁边的数据库中有一个 boolean 的“salted”字段（但不要把盐放在那里）。

Trust your second instinct.相信你的第二直觉。 Use an existing library made especially for hashing passwords instead of trying to cook up your own.使用专门为散列密码制作的现有库，而不是尝试自己编写。

Probably hash your new passwords with MD5 and then hash the MD5 with your password hashing library.可能 hash 使用 MD5 的新密码，然后 hash 使用密码哈希库的 MD5。 That way, you can maintain backwards compatibility with your old passwords.这样，您就可以保持与旧密码的向后兼容性。

Ie password_hash(All old, md5'd passwords) and password_hash( md5(New passwords) )即 password_hash（所有旧的 md5 密码）和 password_hash（md5（新密码））

(Warning: I'm not a cryptography expert) （警告：我不是密码学专家）

http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html

If you look at how most Bank and high security people does there password changing.如果你看看大多数银行和高安全人员如何更改密码。 Most of them basically ask people who is using the old encryption method to create a new password.他们中的大多数基本上要求使用旧加密方法的人创建新密码。 I think you first solution of placing a flag on all existing old MD5 password users, and notify them they need to create new password and slowly migrate them to the new system.我认为您的第一个解决方案是在所有现有的旧 MD5 密码用户上放置一个标志，并通知他们需要创建新密码并慢慢将他们迁移到新系统。 That way when you trouble shoot the system if anything goes wrong you won't be asking is this a new user or an old one.这样，当您在出现任何问题时对系统进行故障排除时，您不会问这是新用户还是旧用户。 Are we double hashing or single?我们是双散列还是单散列？ Should never compare two hash as a possible answer because what if MD5('abc') => 123, SHA('NO') => 123, that means someone could have typed in the wrong password but still gets in.永远不要将两个 hash 作为可能的答案进行比较，因为如果 MD5('abc') => 123，SHA('NO') => 123，这意味着有人可能输入了错误的密码但仍然可以进入。