Perl 中的 crypt 函数到 SHA-512 密码的问题
Problem with crypt function in Perl to SHA-512 password
我刚开始学习 Perl,我的任务是将用户输入变量与 SHA-512 存储的散列密码进行比较。我做了下面的功能来测试。我使用随机生成的盐从真实密码 (p2) 生成摘要。接下来,我将此摘要用作我的用户输入的密码 (p1) 的盐,以便与摘要值进行比较。这是基于我找到的描述 here。
我使用 crypt 函数生成摘要,但是我无法在下一步中显示或比较它。
应使用 SHA-512 对密码进行哈希处理。
感谢您的帮助。
use strict;
use warnings;
sub HashThis {
# p1 is userinput and p2 is real password
my ($p1, $p2) = @_;
my $salt = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];
# makes digest for real password using our pre defined salt
my $digest = crypt($p2, '$'.$salt);
# compares if crypt return same digest as using digest as salt for userinput
if (crypt($p1, $digest) eq $digest) {
print "*** matching ***\n";
} else {
die "*** not matching ***\n";
}
}
print "Enter a word:\t\t ";
chomp(my $userinput = <STDIN>);
print "Real password:\t\t ";
chomp(my $userpass = <STDIN>);
HashThis($userinput, $userpass);
crypt 是 C crypt function. Its implementation will vary from environment to environment 的薄包装。在 OS X 上,它不需要前导 $x$ 来指示使用哪种算法,它只使用 DES。 crypt("foo", '$'.$salt); 结果为 A86JNndVTdM。只使用盐的前两个字节,</code>.</p>
<p>如果要使用 SHA-512,请使用 <a href="https://metacpan.org/pod/Digest::SHA" rel="nofollow noreferrer">Digest::SHA</a>。</p>
<p><code>crypt 和 DES are inappropriate for password hashing. Its short key makes it very easy to defeat, and its salt is just two characters. SHA-512 is also not appropriate for password hashing, it's too fast. Instead, you want a dedicated password hashing function such as bcrypt or PBKDF2 and other key stretching 算法。 crypt 的某些实现可以进行 bcrypt,但很多不能。
rand is also not cryptographically secure 并且不适合生成盐。相反,请使用 Crypt::Random、Data::Entropy、Math::Random::Secure 或 Math::TrulyRandom.
我建议使用 Crypt::PBKDF2, following the instructions in Storing Password in an easy and secure way using Perl, and reading Salted Password Hashing - Doing it Right 作为理论。
我刚开始学习 Perl,我的任务是将用户输入变量与 SHA-512 存储的散列密码进行比较。我做了下面的功能来测试。我使用随机生成的盐从真实密码 (p2) 生成摘要。接下来,我将此摘要用作我的用户输入的密码 (p1) 的盐,以便与摘要值进行比较。这是基于我找到的描述 here。 我使用 crypt 函数生成摘要,但是我无法在下一步中显示或比较它。 应使用 SHA-512 对密码进行哈希处理。 感谢您的帮助。
use strict;
use warnings;
sub HashThis {
# p1 is userinput and p2 is real password
my ($p1, $p2) = @_;
my $salt = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];
# makes digest for real password using our pre defined salt
my $digest = crypt($p2, '$'.$salt);
# compares if crypt return same digest as using digest as salt for userinput
if (crypt($p1, $digest) eq $digest) {
print "*** matching ***\n";
} else {
die "*** not matching ***\n";
}
}
print "Enter a word:\t\t ";
chomp(my $userinput = <STDIN>);
print "Real password:\t\t ";
chomp(my $userpass = <STDIN>);
HashThis($userinput, $userpass);
crypt 是 C crypt function. Its implementation will vary from environment to environment 的薄包装。在 OS X 上,它不需要前导 $x$ 来指示使用哪种算法,它只使用 DES。 crypt("foo", '$'.$salt); 结果为 A86JNndVTdM。只使用盐的前两个字节,</code>.</p>
<p>如果要使用 SHA-512,请使用 <a href="https://metacpan.org/pod/Digest::SHA" rel="nofollow noreferrer">Digest::SHA</a>。</p>
<p><code>crypt 和 DES are inappropriate for password hashing. Its short key makes it very easy to defeat, and its salt is just two characters. SHA-512 is also not appropriate for password hashing, it's too fast. Instead, you want a dedicated password hashing function such as bcrypt or PBKDF2 and other key stretching 算法。 crypt 的某些实现可以进行 bcrypt,但很多不能。
rand is also not cryptographically secure 并且不适合生成盐。相反,请使用 Crypt::Random、Data::Entropy、Math::Random::Secure 或 Math::TrulyRandom.
我建议使用 Crypt::PBKDF2, following the instructions in Storing Password in an easy and secure way using Perl, and reading Salted Password Hashing - Doing it Right 作为理论。