问题
I've worked with a number of different hashing algorithms in the past and I was under the impression that they were all deterministic.
I just switched some of my code to use BCrypt.Net and I have to admit I was completely stumped when all of my comparison tests failed.
After looking for errors in my test for an embarrassing amount of time I realized that my assumption that the hashes are deterministic was completely incorrect. There is a verify method which works and it was easy enough to fix the code but I'd like to understand what is going on a little bit better.
Is it salting the values internally or is something else going on?
- Please note I am salting this in my real code - this is just a test
回答1:
Is it salting the values internally
Yep. bcrypt is more than a raw hash function, it includes the salt and a few other bits to allow the hash to be validated without extra input:
$2a$12$q6r.MpvzPrUszrWLgaRdlOs04kPcjk0syCDelrzES9O8.UNlHON.u
^^ ^^ ^^^^^^^^^^^^^^^^^^^^^^
| | \- salt
| \---- work factor
\------- format
The API you're using doesn't expose it as you don't generally need to manipulate the salt, but it's there and you don't need to add your own.
来源:https://stackoverflow.com/questions/32918460/why-is-the-hash-generated-by-bcrypt-non-deterministic