比较加密的sha512+salt密码时出现问题

bqf10yzr  于 2021-07-09  发布在  Java
关注(0)|答案(1)|浏览(498)

在比较两个加密密码时增加一位 d5 添加到字符串中。
我们用sha512+salt对密码进行加密,然后将其与存储在数据库中的sha512+salt值进行比较。
但是密码不匹配。当我们查看日志时,我们看到一个额外的 d5 在盐中不存在的。
这是使用控制台时的输出。

project restful running in port 8000
Value stored in database:

6b5fff62ffe04a51(salt)

(Sha512+salt) appended value
9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735

{ salt: '6b5fff62ffe04a51',(salt)
  passwordhash:(sha512+salt appended value)

'9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735d5' }

额外的 d5 当我们附加它时出现,这是导致错误的原因。

/*
 creating a restfull service

* /

var crypto = require('crypto');
var uuid = require('uuid');
var express = require('express');
var mysql = require('mysql');
var bodyparser = require('body-parser');

//connect to my sql

var con = mysql.createConnection({
    host:"localhost",
    user:"root",
    password:'',
    database:"e-shopiee",
});

//creating password encryption

var genrandomstring = function(length) {
    return crypto.randomBytes(Math.ceil(length/2))
        .toString('hex')
        .slice(0,length);
};

//securing with sha512

var sha512 = function (password, salt) {
    var hash = crypto.createHmac('sha512', salt);
    hash.update(password);
    var value = hash.digest('hex');
    return {
        salt:salt,
        passwordhash:value
    };
};

//get random string to salt

function salthashpassword(userPassword){
    var salt = genrandomstring(16);
    var passwordData = sha512(userPassword, salt);
    return passwordData;
}

//user password generating hashed password

function checkHashpassword(userPassword, salt) {

   var passwordData = sha512(userPassword, salt);
    return passwordData;
}

//accept json params
var app=express();
app.use(bodyparser.json());
//accept encoded url params
app.use(bodyparser.urlencoded({extended : true}));

app.post('/register/',(req,res,next)=>{

    //get post params
    var post_data = req.body;
    //get uuid v4
    var uid = uuid.v4();
    //get password from parms
    var plain_password = post_data.password;
    //get hash parms
    var hash_data = salthashpassword(plain_password);
    var password = hash_data.passwordhash;
    var salt = hash_data.salt;

    var name = post_data.name;
    var email = post_data.email;

    con.query('SELECT * FROM users where email =?',[email],function (err,result,fields) {
        con.on('error',function (err) {
            console.log('[MySQL ERROR]',err);
        });
        if (result && result.length)
            res.json('user already exist');
        else {
            con.query('INSERT INTO `users`( `unique_id`, `name`, `email`, `password`, `salt`, `created_at`, `updated_at`) ' +
                'VALUES (?,?,?,?,?,NOW(),NOW())',[uid,name,email,password,salt],function (err,result,fields) {
                con.on('error',function (err) {
                    console.log('[MySQL ERROR]', err);
                    res.json('Register error: ',err);
                });
                res.json('Register successful');
                console.log(password);
            })
        }
    });
})

app.post('/login/',(req,res,next)=>{

    var post_data =  req.body;

    //extract email and password from reqst
    var user_password = post_data.password;
    var email = post_data.email;

    con.query('SELECT * FROM users where email=?',[email],function (error,result,fields){

        con.on('error',function (err) {
            console.log('[MySQL ERROR]',err);
        });

        if (result && result.length){

            //get salt of result if account exist
            var salt = result[0].salt;
            console.log(salt);
            var password = result[0].password;
            //hashed password from login req
            var  hashed_password = checkHashpassword(user_password,salt).passwordhash;

            console.log(password);
            console.log(hashed_password);

            //if password true return all info
            if(password == hashed_password)
                res.end(JSON.stringify(result[0]))
            else
                res.end(JSON.stringify('Wrong password'));
        }

        else {
            res.json('user not exist');
        }
    });
})
//starting services
app.listen(8000,()=>{
    console.log('project restful running in port 8000');

})
aelbi1ox

aelbi1ox1#

你不能用盐来解密sha512。那(sha512)不是可逆变换。盐能使它对彩虹表免疫。
为什么散列函数是单向的?如果我知道算法,为什么我不能从中计算输入?
2密码盐如何帮助抵御彩虹表攻击?

相关问题