salt

问题 I was wondering - is there any disadvantages in using the hash of something as a salt of itself? E.g. hashAlgorithm(data + hashAlgorithm(data)) This prevents the usage of lookup tables, and does not require the storage of a salt in the database. If the attacker does not have access to the source code, he would not be able to obtain the algorithm, which would make brute-forcing significantly harder. Thoughts? (I have a gut feeling that this is bad - but I wanted to check if it really is, and

问题 I'm trying to create a custom membership system in ASP.NET MVC3 . I know there are many free and open source providers, but I'm doing this to learn more. My question is about encrypting passwords. Which algorithm do you suggest I use: SHA1 , SHA256 , MD5 , BCrypt , or something else? Also, which way do you suggest to create a password salt? 回答1: BCrypt if you need really strong hash. As far as generating the salt is concerned, you could use the RNGCryptoServiceProvider class. Here's an

问题 Excuse me for this very odd question. I understand the purpose of base64 encoding for transmitting data (i.e. MIME's Base64 encoding), but I don't know if I need to base64 encode my salts. I wrote an utility class (a base abstract class indeed): use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder; abstract class AbstractCryptPasswordEncoder extends BasePasswordEncoder { /** * @return string */ protected abstract function getSaltPrefix(); /** * @return string */ protected abstract

问题 For authentification with Dovecot, I use SSHA256 hashes but I have no clue how to validate a given password against the existing hash. The following PHP functions (found them in the web) are used to create the SSHA256 hash: function ssha256($pw) { $salt = make_salt(); return "{SSHA256}" . base64_encode( hash('sha256', $pw . $salt, true ) . $salt ); } function make_salt() { $len = 4; $bytes = array(); for ($i = 0; $i < $len; $i++ ) { $bytes[] = rand(1,255); } $salt_str = ''; foreach ($bytes as

问题 For authentification with Dovecot, I use SSHA256 hashes but I have no clue how to validate a given password against the existing hash. The following PHP functions (found them in the web) are used to create the SSHA256 hash: function ssha256($pw) { $salt = make_salt(); return "{SSHA256}" . base64_encode( hash('sha256', $pw . $salt, true ) . $salt ); } function make_salt() { $len = 4; $bytes = array(); for ($i = 0; $i < $len; $i++ ) { $bytes[] = rand(1,255); } $salt_str = ''; foreach ($bytes as

问题 I was here yesterday and got some really great answers. I took what I got and put together, what I think will be a fairly secure algorithm. I'm having a problem using blowfish with a for loop that generates the salt. I'm using base64 characters and a for loop to get a random string. I want to take this generated string and insert it into the crypt function as the salt. Because the documentation about blowfish is so sparse and the PHP docs don't really even mention it, I'm sort of stabbing in

问题 I want to use PasswordDeriveBytes(RSA PBKDF1) of .NET 2.0 within iPhone. How could i achieve the same exact implementation? Are there any methods or libraries for it? I especially want it for using a salt. Thanks 回答1: Since MS implementation is not totally following the PKCS#5 specification the easiest way would be to convert Mono (C#) source code into Objective C. That will get you very close to MS implementation (everything except a very bad bug :-). In any case I suggest you stick to the

问题 I want to use PasswordDeriveBytes(RSA PBKDF1) of .NET 2.0 within iPhone. How could i achieve the same exact implementation? Are there any methods or libraries for it? I especially want it for using a salt. Thanks 回答1: Since MS implementation is not totally following the PKCS#5 specification the easiest way would be to convert Mono (C#) source code into Objective C. That will get you very close to MS implementation (everything except a very bad bug :-). In any case I suggest you stick to the

问题 I'm completely new to cryptography, but learning. I've pieced together many different suggestions from my research online, and have made my own class for handling the hash, salt, key stretching, and comparison/conversion of associated data. After researching the built-in .NET library for cryptography, I discovered that what I have is still only SHA-1. But I'm coming to the conclusion that it's not bad since I'm using multiple iterations of the hash process. Is that correct? But if I wanted to

问题 My understanding is that a salt is not intended to be secret, it is merely intended to be different from any centralized standard so that you can't develop a rainbow table or similar attack to break all hashes that use the algorithm, since the salt breaks the rainbow table. My understanding here might not be completely correct, so correct me if I'm wrong. In a widely-used piece of open-source software, the salt would be widely known, and this opens you up to attacks because now they can