php - 在数据库中存储具有不同算法的哈希是否有意义？

Question

基于这篇文章:https://crackstation.net/hashing-security.htm

我将散列函数重写为 Hash 对象中的方法...在实例化时，算法是随机设置的(基于 hash_algos())并且 pbkdf2 迭代也是随机的设置。

这里的主要问题是:它是否提高了安全性？或者它甚至重要吗？

由于哈希结果以 ALGORITHM:ITERATIONS:SALT:HASH 的格式存储在数据库中，密码验证方法将始终有效——假设格式不变。

这里的第二个问题是:如果我们更改格式并以某种方式将其保存在数据库中怎么办？

例如:1234:ALGORITHM:ITERATIONS:SALT:HASH，而第一组数字的位置决定了顺序。 1 可以是“算法”，2 可以是“迭代”，3 可以是“盐”，4 可以是“散列”...然后它可以存储为 4213:HASH:ITERATIONS:ALGORITHM:SALT

因此，例如，这可能导致:

Plain: Kh ÃfZs²Ã–>â´D®3¢%jÃmKeMÃ8*/ÃY§w(`P~¿G+ZPÃÃÆQ-:£´CaÃ:p-I&Ã\4„JÃ~*1Æf¿^wwÃ|¶
Hash: ripemd320:136696:up3dvlhcEVOmxZCalFeDZLZsxD6CxTzJ:/ZssN0ODowGqjni2dBq31vQUzH0oR9X8

Plain: ‘¡ÃBÃ¥§‰––§¡kÂ!;Qa!xu!¤®[¥Kkp~{†b}ÃRR7pEÂÃÆÃt1Niw¤¦¢P]ÃÃ^âQÂEfÉ‚®Q>Ãi«0CpÂBYU‘ÃIXÃi)z§w¿»¢Ãs7
Hash: snefru256:231279:4ZEgsSuWIUqxBwgEw4JX8RCaxU/92Van:/A1VeH47O7fjrf0mulcOwsAj/OdJ4j8B

Plain: ÂZÃn£¨"Ã&vPÃ9iÃÃçPj²=ì§#Æ[ÃNi¥0R)*¥„Ã…>QIÂ:ÃSÂ4pªœÃ´ÃÃ6.wÃ0(¡0sbÃ!
Hash: tiger160,3:382995:apCegFYSKwOxCvw70UBO0Cby8ygTLomP:O9kFigaw0X4S9A7pMq559S4NnF5EaZnX

Plain: d'(ÃY¥TÃÃFyfp!Ã~…GÃ
Hash: crc32:166154:b+LONmP+yai0yVSdhtY1+A6waInJaSIQ:eHCD+3sDw16uh1M7eVHTP6zVQ1qvpgP/

等等

这是我在下面使用的代码，由于数据库中哈希的结构，它们都有效。

<?php
/*
* Password Hashing With PBKDF2 (http://crackstation.net/hashing-security.htm).
* Copyright (c) 2013, Taylor Hornby
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

final class Hash {
  private $PBKDF2_HASH_ALGORITHM = null,
          $PBKDF2_ITERATIONS = 128000;

  const PBKDF2_SALT_BYTE_SIZE = 24;
  const PBKDF2_HASH_BYTE_SIZE = 24;
  const HASH_SECTIONS         = 4;
  const HASH_ALGORITHM_INDEX  = 0;
  const HASH_ITERATION_INDEX  = 1;
  const HASH_SALT_INDEX       = 2;
  const HASH_PBKDF2_INDEX     = 3;

  /**
  * On instantiation, randomly set the algorithm to use (based on the available algorithms)
  * and randomly set the iteration count. High iteration counts can cause a high delay in server response.
  */
  public function __construct() {
    $algos = hash_algos();
    $algo  = $algos[mt_rand(0, count($algos) - 1)];
    $this->PBKDF2_HASH_ALGORITHM = $algo;
    $this->PBKDF2_ITERATIONS = mt_rand(128000, 512000);
  }

  public function create_hash($password) {
    // format: algorithm:iterations:salt:hash
    $salt = base64_encode(mcrypt_create_iv(self::PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
    return $this->PBKDF2_HASH_ALGORITHM . ":" . $this->PBKDF2_ITERATIONS . ":" .  $salt . ":" .
    base64_encode($this->pbkdf2(
      $this->PBKDF2_HASH_ALGORITHM,
      $password,
      $salt,
      $this->PBKDF2_ITERATIONS,
      self::PBKDF2_HASH_BYTE_SIZE,
      true
    ));
  }

  public function validate_password($password, $correct_hash) {
    $params = explode(":", $correct_hash);
    if(count($params) < self::HASH_SECTIONS)
      return false;
    $pbkdf2 = base64_decode($params[self::HASH_PBKDF2_INDEX]);
    return $this->slow_equals(
      $pbkdf2,
      $this->pbkdf2(
        $params[self::HASH_ALGORITHM_INDEX],
        $password,
        $params[self::HASH_SALT_INDEX],
        (int)$params[self::HASH_ITERATION_INDEX],
        strlen($pbkdf2),
        true
      )
    );
  }

  // Compares two strings $a and $b in length-constant time.
  private function slow_equals($a, $b) {
    $diff = strlen($a) ^ strlen($b);
    for($i = 0; $i < strlen($a) && $i < strlen($b); $i++) {
      $diff |= ord($a[$i]) ^ ord($b[$i]);
    }
    return $diff === 0;
  }

  /*
  * PBKDF2 key derivation function as defined by RSA's PKCS #5: https://www.ietf.org/rfc/rfc2898.txt
  * $algorithm - The hash algorithm to use. Recommended: SHA256
  * $password - The password.
  * $salt - A salt that is unique to the password.
  * $count - Iteration count. Higher is better, but slower. Recommended: At least 1000.
  * $key_length - The length of the derived key in bytes.
  * $raw_output - If true, the key is returned in raw binary format. Hex encoded otherwise.
  * Returns: A $key_length-byte key derived from the password and salt.
  *
  * Test vectors can be found here: https://www.ietf.org/rfc/rfc6070.txt
  *
  * This implementation of PBKDF2 was originally created by https://defuse.ca
  * With improvements by http://www.variations-of-shadow.com
  */
  protected function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
    $algorithm = strtolower($algorithm);
    if(!in_array($algorithm, hash_algos(), true))
      trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
    if($count <= 0 || $key_length <= 0)
      trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);

    if (function_exists("hash_pbkdf2")) {
      // The output length is in NIBBLES (4-bits) if $raw_output is false!
      if (!$raw_output) {
        $key_length = $key_length * 2;
      }
      return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
    }

    $hash_length = strlen(hash($algorithm, "", true));
    $block_count = ceil($key_length / $hash_length);

    $output = "";
    for($i = 1; $i <= $block_count; $i++) {
      // $i encoded as 4 bytes, big endian.
      $last = $salt . pack("N", $i);
      // first iteration
      $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
      // perform the other $count - 1 iterations
      for ($j = 1; $j < $count; $j++) {
        $xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
      }
      $output .= $xorsum;
    }

    if($raw_output)
      return substr($output, 0, $key_length);
    else
      return bin2hex(substr($output, 0, $key_length));
  }
}

/**
* Testing
*/
$start = microtime(true);

// generate a random string
function randString($length, $charset='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()_+=-[]\{}|:";\'<>?,./âäàåçêëèïîìÄÅÉæÆôöòûùÿÖÜ¢£¥₧ƒáíóúñѪº¿') {
  $str = '';
  $count = strlen($charset);
  while ($length--) {
    $str .= $charset[mt_rand(0, $count-1)];
  }
  return $str;
}

set_time_limit(0);

// array of plain and hashed values
$stored = array();
for($i = 0; $i < 10; $i++) {
  $plain = randString(mt_rand(10, 100));

  $Hash  = new Hash;
  $hash  = $Hash->create_hash($plain);
  echo "Plain: $plain<br>Hash: $hash<br>";

  // store to check later
  $stored[] = array("plain" => $plain, "hash" => $hash);
}

// check hashes
echo "<hr>";
foreach($stored as $single) {
  $Hash = new Hash;
  $valid = $Hash->validate_password($single['plain'], $single['hash']);
  echo "Valid? ".($valid ? "Yes" : "No")."<br>";
}

echo "<br>Time taken: ".round((microtime(true)-$start), 4)."s";
?>

这些真的重要吗？它对熵的水平有帮助吗？

Answer 1

我会按顺序回答问题:

1. 不，它不会帮助安全，实际上会削弱它。攻击者可以简单地选择一个具有低迭代次数和易于加速的哈希算法的条目并对其进行攻击。

2. 数据的格式无关紧要。安全性在于值，而不是格式。我建议选择一种安全的哈希算法(如果可用，比如 SHA-256)和足够高的迭代次数。

将某种版本号与哈希一起存储是个好主意，以便以后每个条目更新您的方案。通常，只有当用户向您提供他的密码时，您才能提高安全性。