Bycript/Blowfish and Salts with existing auth system

可紊 提交于 2020-01-17 03:40:48

问题


I'm trying to transition to Blowfish for an authentication system. Bear with me, I'm not a cryptographer and my understanding of Blowfish is not quite there yet.

The current setup uses sha1 and salts. The salts are generated for each user and stored in the database. It boils down to this:

$salt = $this->getSalt($username);
$hash = sha1($password . $salt);
if ($hash == $hashInDB)
{
     // user is authenticated, set session id etc ...
}

The getSalt() method gets the salt stored in the database for the specified user.

Now if I understand everything correctly, with crypt I should be doing:

$salt = '$2a$07$' . $this->getSalt($username) . '$';
$hash = crypt($password, $salt);

if ($hash == crypt($password, $saltInDB))
{
     // The user is authenticated, set session id etc..
}

To clarify, for the second example the $saltInDB variable, is a value like `'$2a$07$arandomsaltcreatedatregistration$'.

  • Am I doing it right?

回答1:


Your example is almost correct.

When you create a hash with the crypt() function, you will see that the used parameters (algorithm, cost and salt) are part of the generated hash (the begin of the hash):

$2a$07$LCzy1mE0b9lS8Uyx9HEeUgHm8zH1iDDZ5...

That means, you can replace $saltInDB with $hashInDB, the crypt() function will extract the needed parameters automatically from $hashInDB. This also answers your question about storing the salt, just store the hash value in the database, the salt is included there. And yes you should generate a new salt for each password.

The '$' after the salt is not needed.

More information about how to generate a bcrypt-hash you can find here, if you are looking for a well established library, i can recommend phpass.



来源:https://stackoverflow.com/questions/11548248/bycript-blowfish-and-salts-with-existing-auth-system

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!