在比较两个加密密码时增加一位 d5
添加到字符串中。
我们用sha512+salt对密码进行加密,然后将其与存储在数据库中的sha512+salt值进行比较。
但是密码不匹配。当我们查看日志时,我们看到一个额外的 d5
在盐中不存在的。
这是使用控制台时的输出。
project restful running in port 8000
Value stored in database:
6b5fff62ffe04a51(salt)
(Sha512+salt) appended value
9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735
{ salt: '6b5fff62ffe04a51',(salt)
passwordhash:(sha512+salt appended value)
'9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735d5' }
额外的 d5
当我们附加它时出现,这是导致错误的原因。
/*
creating a restfull service
* /
var crypto = require('crypto');
var uuid = require('uuid');
var express = require('express');
var mysql = require('mysql');
var bodyparser = require('body-parser');
//connect to my sql
var con = mysql.createConnection({
host:"localhost",
user:"root",
password:'',
database:"e-shopiee",
});
//creating password encryption
var genrandomstring = function(length) {
return crypto.randomBytes(Math.ceil(length/2))
.toString('hex')
.slice(0,length);
};
//securing with sha512
var sha512 = function (password, salt) {
var hash = crypto.createHmac('sha512', salt);
hash.update(password);
var value = hash.digest('hex');
return {
salt:salt,
passwordhash:value
};
};
//get random string to salt
function salthashpassword(userPassword){
var salt = genrandomstring(16);
var passwordData = sha512(userPassword, salt);
return passwordData;
}
//user password generating hashed password
function checkHashpassword(userPassword, salt) {
var passwordData = sha512(userPassword, salt);
return passwordData;
}
//accept json params
var app=express();
app.use(bodyparser.json());
//accept encoded url params
app.use(bodyparser.urlencoded({extended : true}));
app.post('/register/',(req,res,next)=>{
//get post params
var post_data = req.body;
//get uuid v4
var uid = uuid.v4();
//get password from parms
var plain_password = post_data.password;
//get hash parms
var hash_data = salthashpassword(plain_password);
var password = hash_data.passwordhash;
var salt = hash_data.salt;
var name = post_data.name;
var email = post_data.email;
con.query('SELECT * FROM users where email =?',[email],function (err,result,fields) {
con.on('error',function (err) {
console.log('[MySQL ERROR]',err);
});
if (result && result.length)
res.json('user already exist');
else {
con.query('INSERT INTO `users`( `unique_id`, `name`, `email`, `password`, `salt`, `created_at`, `updated_at`) ' +
'VALUES (?,?,?,?,?,NOW(),NOW())',[uid,name,email,password,salt],function (err,result,fields) {
con.on('error',function (err) {
console.log('[MySQL ERROR]', err);
res.json('Register error: ',err);
});
res.json('Register successful');
console.log(password);
})
}
});
})
app.post('/login/',(req,res,next)=>{
var post_data = req.body;
//extract email and password from reqst
var user_password = post_data.password;
var email = post_data.email;
con.query('SELECT * FROM users where email=?',[email],function (error,result,fields){
con.on('error',function (err) {
console.log('[MySQL ERROR]',err);
});
if (result && result.length){
//get salt of result if account exist
var salt = result[0].salt;
console.log(salt);
var password = result[0].password;
//hashed password from login req
var hashed_password = checkHashpassword(user_password,salt).passwordhash;
console.log(password);
console.log(hashed_password);
//if password true return all info
if(password == hashed_password)
res.end(JSON.stringify(result[0]))
else
res.end(JSON.stringify('Wrong password'));
}
else {
res.json('user not exist');
}
});
})
//starting services
app.listen(8000,()=>{
console.log('project restful running in port 8000');
})
1条答案
按热度按时间aelbi1ox1#
你不能用盐来解密sha512。那(sha512)不是可逆变换。盐能使它对彩虹表免疫。
为什么散列函数是单向的?如果我知道算法,为什么我不能从中计算输入?
2密码盐如何帮助抵御彩虹表攻击?