我使用以下代码创建哈希密码和盐:
// generate a 128-bit salt using a secure PRNG
byte[] salt = new byte[128 / 8];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(salt);
}
// derive a 256-bit subkey (use HMACSHA1 with 10,000 iterations)
string hashedPassword = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: password,
salt: salt,
prf: KeyDerivationPrf.HMACSHA1,
iterationCount: 10000,
numBytesRequested: 256 / 8));
我将 HashedPassword 和 Salt 存储在数据库中。
现在我想验证用户登录时的密码:
public bool VerifyPassword(string userEnteredPassword, string dbPasswordHash, string dbPasswordSalt)
{
string hashedPassword = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: userEnteredPassword,
salt: Encoding.ASCII.GetBytes(dbPasswordSalt),
prf: KeyDerivationPrf.HMACSHA1,
iterationCount: 10000,
numBytesRequested: 256 / 8));
return dbPasswordHash == hashedPassword;
}
这不起作用,我得到的哈希密码与数据库中存储的密码完全不同。据我了解,您应该将盐添加到用户登录时输入的密码中,然后运行相同的哈希密码函数。上面不是等价的吗?
最佳答案
正如 Maarten Bodewes 提到的,ASCII 是问题所在。下面的代码返回 true。我所做的只是将 salt: Encoding.ASCII.GetBytes(dbPasswordSalt),
更改为 salt: System.Convert.FromBase64String(dbPasswordSalt),
public bool VerifyPassword(string userEnteredPassword, string dbPasswordHash, string dbPasswordSalt)
{
Console.WriteLine(dbPasswordSalt.ToString());
Console.WriteLine(dbPasswordHash.ToString());
string hashedPassword = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: userEnteredPassword,
salt: System.Convert.FromBase64String(dbPasswordSalt),///Encoding.ASCII.GetBytes(dbPasswordSalt),
prf: KeyDerivationPrf.HMACSHA1,
iterationCount: 10000,
numBytesRequested: 256 / 8));
Console.WriteLine(hashedPassword.ToString());
return dbPasswordHash == hashedPassword;
}
关于c# - 使用 Pbkdf2 加密通过 Salt 加密和验证哈希密码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45220359/