有没有办法用 Spring 安全检查 PHP 创建的 bcrypt 哈希?
Is there a way to check PHP-created bcrypt hashes with Spring Security?
上下文
我正在处理一个使用更新的 bcrypt 算法的 PHP 系统(因为底层算法中存在一个已知漏洞)。
因此 PHP 的 password_hash 函数现在生成以 y$ 为前缀的哈希值,因为旧的(以 a 为前缀)是易受攻击的。
Spring 安全 BCrypt that I use in another Java system generates the original a$ format hashes, as its underlying implementation (jBCrypt instead of C BCrypt as ) 不易受到同样的攻击。
问题
检查 PHP - 在 Spring 中生成哈希 安全性不起作用。有没有一种方法可以使用 Spring 安全检查 PHP 生成的哈希值?
例子
php > $pwd = password_hash('foo', PASSWORD_BCRYPT, ['cost' => 12]);
php > echo $pwd;
y$TRc5ZjcmDJ8oFaoR1g7LD.RCxBTUZnGXB66EN9h9rKtNWg.hd7ExK
然后使用 Java + Spring 安全性:
@Test
public void decryptsPhpHash() {
boolean result = BCrypt.checkpw("foo", "y$TRc5ZjcmDJ8oFaoR1g7LD.RCxBTUZnGXB66EN9h9rKtNWg.hd7ExK");
assertThat(result).isTrue();
}
抛出以下错误:
java.lang.IllegalArgumentException: Invalid salt revision
据我所知,PHP只是把字符a改成y来区分自己而已。只有 PHP 更改了此前缀。因此,也许只需将 y 改回 a 即可解决此问题。
In June 2011, a bug was discovered in crypt_blowfish, a PHP implementation of BCrypt. It was mis-handling characters with the 8th bit set. They suggested that system administrators update their existing password database, replacing a$ with x$, to indicate that those hashes are bad (and need to use the old broken algorithm). They also suggested the idea of having crypt_blowfish emit y$ for hashes generated by the fixed algorithm.
Nobody else, including canonical OpenBSD, adopted the idea of 2x/2y. This version marker change was limited to crypt_blowfish.
https://en.wikipedia.org/wiki/Bcrypt
上下文
我正在处理一个使用更新的 bcrypt 算法的 PHP 系统(因为底层算法中存在一个已知漏洞)。
因此 PHP 的 password_hash 函数现在生成以 y$ 为前缀的哈希值,因为旧的(以 a 为前缀)是易受攻击的。
Spring 安全 BCrypt that I use in another Java system generates the original a$ format hashes, as its underlying implementation (jBCrypt instead of C BCrypt as
问题
检查 PHP - 在 Spring 中生成哈希 安全性不起作用。有没有一种方法可以使用 Spring 安全检查 PHP 生成的哈希值?
例子
php > $pwd = password_hash('foo', PASSWORD_BCRYPT, ['cost' => 12]);
php > echo $pwd;
y$TRc5ZjcmDJ8oFaoR1g7LD.RCxBTUZnGXB66EN9h9rKtNWg.hd7ExK
然后使用 Java + Spring 安全性:
@Test
public void decryptsPhpHash() {
boolean result = BCrypt.checkpw("foo", "y$TRc5ZjcmDJ8oFaoR1g7LD.RCxBTUZnGXB66EN9h9rKtNWg.hd7ExK");
assertThat(result).isTrue();
}
抛出以下错误:
java.lang.IllegalArgumentException: Invalid salt revision
据我所知,PHP只是把字符a改成y来区分自己而已。只有 PHP 更改了此前缀。因此,也许只需将 y 改回 a 即可解决此问题。
In June 2011, a bug was discovered in crypt_blowfish, a PHP implementation of BCrypt. It was mis-handling characters with the 8th bit set. They suggested that system administrators update their existing password database, replacing a$ with x$, to indicate that those hashes are bad (and need to use the old broken algorithm). They also suggested the idea of having crypt_blowfish emit y$ for hashes generated by the fixed algorithm. Nobody else, including canonical OpenBSD, adopted the idea of 2x/2y. This version marker change was limited to crypt_blowfish. https://en.wikipedia.org/wiki/Bcrypt