laravel - 限制 Laravel 中哈希的长度

Question

我正在使用Laravel Hash Facade生成哈希值。然后将其传递给第三方服务，该服务在回调中使用相同的哈希值。我用它来确保请求是“可信的”。但是，Hash::make() 创建一个 60 个字符长的字符串，但第 3 方服务只允许 32 个字符。

如果我将 md5() 应用于哈希，我将无法使用 Hash::check()。如果我使用 substr()，那么两个或多个哈希值可能会产生相同的字符串。

以安全的方式处理这种情况的最佳方法是什么？

Answer 1

默认情况下，Laravel 哈希使用 password_hash()函数与 BLOWFISH 密码一起使用，生成 60 个字符的结果。然而，60 个字符的结果实际上是 28 个字符的参数，以及生成的 32 个字符的哈希值。

前 28 个字符由 4 个字符的前缀 ( $2y$ )、2 位数字的成本 ( 04 - 31 ) 和 22 个字符的盐组成。如果您将前 28 个字符存储在应用程序中的某个位置(例如 .env 文件)，您可以使用它来检查您生成和从第三方接收的 32 个字符的哈希值。

password_hash()函数是 crypt() 的内置包装器函数，但它动态生成自己的盐。由于 Laravel 没有提供手动提供盐的方法，因此您将无法使用 Hash::make()方法;您需要使用 crypt()直接使用 BLOWFISH 密码和静态盐传递正确的数据来触发。生成的结果仍然与 password_verify() 兼容不过，您仍然可以使用 Hash::check()验证收到的哈希值(或直接使用 password_verify())。

下面希望是一个包含代码和注释的更有用的说明。

// This tells crypt() to use the BLOWFISH cypher
$prefix = '$2y$';

// This tells crypt() the number of rounds for the BLOWFISH algorithm to use.
// The higher the number, the longer it takes to generate a hash (good).
// Value must be two digits and between 04 and 31. 10 is default.
$cost = '10';

// This is the 22 character salt (including start and end dollar signs). This is
// the value normally dynamically generated by password_hash(), but you
// are storing a static value in your application.
$salt = '$thisisahardcodedsalt$';

// Concat the three parameters to generate the full 28 character BLOWFISH
// prefix. Instead of using the hardcoded variables above, you would
// probably just get the value out of the config (set by .env file).
$blowfishPrefix = $prefix.$cost.$salt;

// I don't know where your password is coming from, but this is the password
// that you were planning on using for your Hash::make() and Hash::check()
// calls.
$password = 'This is your password.';

// Hash the password to get your 60 character BLOWFISH cipher result.
$hash = crypt($password, $blowfishPrefix);

// The real hash is the last 32 characters. This is the value you pass to your
// third party service.
$hashToThirdParty = substr($hash, -32);

// Now we've generated a hash and sent it to the third party. Now we wait.

// ... at some point, the third party sends the hash back to you.
$hashFromThirdParty = $hashToThirdParty;

// Add your stored BLOWFISH prefix to the hash received from the third party,
// and pass the result into Hash::check() (along with your password).
$verified = Hash::check($password, $blowfishPrefix.$hashFromThirdParty);

// Since we're not using Hash::make() to generate the password, you may not care
// about using Hash::check() to check it. You can just use the underlying
// password_verify() function at this point, if you want.
$altVerified = password_verify($password, $blowfishPrefix.$hashFromThirdParty);

PHP函数资源:
password_hash()
crypt()
password_verify()

Laravel 代码资源:
Hash::make() for the bcrypt hasher
Hash::check() for the bcrypt hasher