c# – 哈希算法SHA256,我的方法安全吗?如何添加salt值以提高安全性

我对密码学很陌生,想要了解哈希算法.

我有以下来源创建一个密码的哈希版本,可以存储在我的数据库中.

    public static string hashPasswordGenerator(string password)
    {
        System.Security.Cryptography.SHA256Managed crypt = new System.Security.Cryptography.SHA256Managed();
        StringBuilder hash = new StringBuilder();
        byte[] cry = crypt.ComputeHash(Encoding.UTF8.GetBytes(password), 0, Encoding.UTF8.GetByteCount(password));
        return Convert.ToBase64String(cry);
    }

我的示例用户是User1,密码为Password1,返回散列版本的GVE / 3J2k 3KkoF62aRdUjTyQ / 5TVQZ4fI2PuqJ3 4d0 =

我的问题是:

  1. Is this secure?
  2. Should I add a salt to this? If so can someone show
    me a simple example as I do not really understand how the salt it
    generated so that it will match the password every time?
  3. If someone has this hashPasswordGenerator method could they reverse engineer my password?

提前致谢.

解决方法:

Is this secure?

如果你只是在没有盐的情况下使用SHA2,那不是真的. (不是说SHA2可以很容易地反转)

Should I add a salt to this?

是.

If so can someone show me a simple example

使用RNGCryptoServiceProvider

RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
var salt = new byte[32];
rngCsp.GetBytes(salt); // this will fill the buffer with random values

as I do not really understand how the salt it generated so that it will match the password every time

您必须保存盐(每个密码必须是唯一的)以及散列(密码盐).

If someone has this hashPasswordGenerator method could they reverse engineer my password?

是的,如果它是字典密码,如果你不使用盐.否则(在可预见的将来),因为哈希应该很难逆转.

BTW而不是试图重新发明*你应该考虑使用PBKDF2来进行密码散列需求,因为它有一个可以减缓强力攻击(迭代次数)的工作因素.

上一篇:Go和PHP中的SHA256给出了不同的结果


下一篇:windows10下使用certutil工具对下载文件进行SHA1、MD5、SHA256校验