1. 技术文章
  2. What should be the data type for the hashed value of a password encrypted using PBKDF2?

What should be the data type for the hashed value of a password encrypted using PBKDF2?

泄露秘密 提交于 2019-12-24 14:51:14

问题


I am trying to learn to use PBKDF2 hash functions for storing passwords in the database. I have a rough draft of the procedure that I'll be using to generate the hashed function. But while I am creating the table in PL/SQL Developer which will hold the generated hashed password, what should I declare the data type for the encrypted password variable?

It might be a lame question but I'm trying to learn online. It would be a huge help if I can get links for further study as well. thank you. please help


回答1:


The first link, as always, is Thomas Pornin's canonical answer to How to securely hash passwords.

Storage in the database

  • The hash can be stored in BINARY format for the least transformations and smallest number of bytes; see below for sizes.

    • Alternately, store it in a CHAR after converting to hex, which costs a transformation and double the bytes of the BINARY size

    • Alternatively, store it in a CHAR after converting to Base64, which costs a transformation and 4/3rds the number of bytes of BINARY size plus padding

    • i.e. PBKDF2-HMAC-SHA-512 where all 64 bytes of output are used would be

      • BINARY(64) as binary

      • CHAR(128) as hex

      • CHAR(88) as Base64

  • The number of iterations should be stored in an INT, so it can be trivially increased later

  • The salt, which must be a per-user, cryptographically random value, can be stored in a BINARY format for the smallest number of bytes, and should be at least 12, and preferably 16-24 bytes long.

    • i.e. for a 16 byte binary salt

      • BINARY(16) as binary

      • CHAR(32) as hex

      • CHAR(24) as Base64

  • Optionally a password hash algorithm version as a small INT type

    • i.e. 1 for PBKDF2-HMAC-SHA-512, and then later if you change to BCrypt, 2 for BCrypt, etc.

Normal PBKDF2 considerations

  • Consider using PBKDF2-HMAC-SHA-512, as SHA-512 in particular has 64-bit operations that reduce the advantage most GPU based attackers have over you as of early 2016.

  • Use a high (hundreds of thousands or high tens of thousands) of iterations.

  • Don't ask for a larger number of PBKDF2 output bytes than the native hash function supports

    • SHA-512 <= 64 bytes

    • SHA-384 <= 48 bytes

    • SHA-256 <= 32 bytes

    • SHA-224 <= 28 bytes

    • MD5 <= 20 bytes



来源:https://stackoverflow.com/questions/35455779/what-should-be-the-data-type-for-the-hashed-value-of-a-password-encrypted-using

标签
hash
encoding
plsql
sqldatatypes
pbkdf2
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!