Blowfish是一种分块密码,设计于1993年,可以快速用于当时的通用CPU。它具有64位块大小和可变密钥大小,最大为448位。
我有一个在 vi (vi -x myfile) 中使用 blowfish2 加密 (:setlocal cm=blowfish2) 加密的文件。我可以毫无问题地提供密码并编辑文件。 如果我只想查看...
这是我刚刚用 php 制作的加密方式,用它我将密码存储在数据库中 这是我的登录页面代码 这是我刚刚在 php 中制作的加密方式,用它我将密码存储在数据库中 这是我的登录页面代码 <?php session_start(); require("db_connection.php"); require("functions.php"); if (!$connect) { die("Connection failed: " . mysqli_connect_error()); } if(isset($_SESSION['name'])){ header("location: admin.php"); } if ($_SERVER['REQUEST_METHOD'] === 'POST') { if ($_POST['username']==""||$_POST['password']==""){ header ("location: login.php"); } $username = mysqli_real_escape_string($connect,$_POST['username']); $password = $_POST['password']; $found_admin = attempt_login($username,$password); if($found_admin) { $_SESSION['username'] = $found_admin['username']; $_SESSION['name'] = $found_admin['name']; header("location: admin.php"); }else { $status = "Please verify your credentials"; } } ?> 我已经在单独的文件中创建了该函数,这里的任何人都可以给我建议来调整此代码 我只学习了大约一周的语言。 计划启动面向对象的 php。 功能是 function encrypt_password ($password){ $hash_form = "$2y$10$"; $salt_length = 22; $salt = generate_salt($salt_length); $form_and_salt = $hash_form . $salt; $hash = crypt($password,$form_and_salt); return $hash; } function generate_salt ($length){ $unique_random_string = md5(uniqid(mt_rand(),true)); $base64_string = base64_encode($unique_random_string); $modified_base64_string = str_replace('+', '.',$base64_string); $salt = substr($modified_base64_string,0,$length); return $salt; } function password_check ($password, $existing_hash){ $hash = crypt($password,$existing_hash); if($hash===$existing_hash){ return true; }else { return false; } } function find_admin_by_username($username){ global $connect; $safe_username = mysqli_real_escape_string($connect,$username); $query = "SELECT * FROM admins WHERE username='{$safe_username}' LIMIT 1"; $result = mysqli_query($connect , $query); if($admin = mysqli_fetch_assoc($result)){ return $admin; }else{ return null; } } function attempt_login($username, $password){ $admin = find_admin_by_username($username); if ($admin){ if(password_check($password,$admin['password'])){ return $admin; }else { return false; } }else { return false; } } 这种加密方式安全吗? 不。 Bcrypt 很好,但你的实现很危险。 如果您从这个答案中没有学到任何其他信息,请记住您不加密密码,而是对它们进行哈希处理。链接的文章解释了各种密码学术语和概念的细微差别。如果不出意外,如果您在其他领域遇到密码学,它应该会帮助您学习如何提出更好的问题。 如果您需要存储密码,请使用 password_hash() 和 password_verify()。 不要编写自己的加密功能,除非您知道自己在做什么。 WordPress 应该已经包含 password_compat (它允许您使用 PHP 5.3.7+ 中的推荐功能),但截至 2015 年 8 月,您应该已经使用 PHP 5.5,所以这是一个没有实际意义的问题。 如果您使用的是较旧版本的 PHP,请迫使您的网络主机立即更新到 5.5 或 5.6。如果您这样做,您将使互联网变得更安全。 使用推荐的函数(并用准备好的语句替换mysqli_real_escape_string(),这是正确且有效的 SQL 注入解决方案),您的代码可能如下所示: function find_admin_by_username($username) { global $connect; // Create a prepared statement with our query structure $stmt = mysqli_prepare($connect, "SELECT * FROM admins WHERE username = ? LIMIT 1"); // Bind a string parameter (hence the "s"): mysqli_stmt_bind_param($stmt, "s", $username); // If the query was successful if (mysqli_stmt_execute($stmt)) { // Grab the result from the prepared statement... $result = mysqli_stmt_get_result($stmt); // And then return a single row from the table return mysqli_fetch_assoc($result); } } function attempt_login($username, $password) { $admin = find_admin_by_username($username); if ($admin) { if (password_verify($password, $admin['password'])) { return $admin; } } return false; } 我将继续对您的代码进行注释(我的注释带有 ## 前缀)。 function encrypt_password ($password){ ## You're hashing, not encrypting $hash_form = "$2y$10$"; ## Why is the cost of 10 hard-coded? Some people might want 11 or 12. $salt_length = 22; ## This doesn't need to be a variable $salt = generate_salt($salt_length); $form_and_salt = $hash_form . $salt; ## This is backwards $hash = crypt($password,$form_and_salt); return $hash; } function generate_salt ($length){ $unique_random_string = md5(uniqid(mt_rand(),true)); ## This is weak. See footnote $base64_string = base64_encode($unique_random_string); $modified_base64_string = str_replace('+', '.',$base64_string); $salt = substr($modified_base64_string,0,$length); return $salt; } function password_check ($password, $existing_hash){ $hash = crypt($password,$existing_hash); if($hash===$existing_hash){ ## Timing side-channel (albeit not a practical one) return true; }else { return false; } } function find_admin_by_username($username){ global $connect; ## Editing and concatenating strings fails more often than prepared statements. ## If you want to be conservative about security, get very familiar with ## mysqli_prepare() and friends. You can almost never have to use ## mysqli_real_escape_string() again if you're careful enough. $safe_username = mysqli_real_escape_string($connect,$username); $query = "SELECT * FROM admins WHERE username='{$safe_username}' LIMIT 1"; $result = mysqli_query($connect , $query); if($admin = mysqli_fetch_assoc($result)){ return $admin; }else{ ## You can just leave this outside the if block return null; ## If you don't return anything, null is returned } } function attempt_login($username, $password){ $admin = find_admin_by_username($username); if ($admin){ if(password_check($password,$admin['password'])){ return $admin; }else { ## unnecessary return false; ## unnecessary } }else { ## unnecessary return false; ## unnecessary } } 脚注md5(uniqid(mt_rand(), true)); 这是一个弱随机数生成器,切勿用于与密码学相关的任何内容。 我使用弱随机数生成器在 DEFCON 23 Underhanded Crypto Contest 的获奖作品中创建了一个后门用户身份验证库。简而言之:如果您要在任何加密实用程序的一百英里范围内生成随机字符串,则需要一个CSPRNG。 请告诉我谁或什么误导了您相信md5(uniqid(mt_rand(), true));是一个安全的随机数生成器。我看到很多人犯了同样的错误,我想阻止糟糕的密码学建议的传播。某处有教程吗?我真的很想纠正它。 重申:md5(uniqid(mt_rand(), true));并不安全。不要使用它。 TL;博士 使用 PHP 提供的密码哈希功能。 不要编写自己的密码学。 不要使用弱随机数生成器。 使用准备好的语句而不是转义。 WpPasswordHash.php <?php # # Portable PHP password hashing framework. # # Version 0.3 / genuine. # # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in # the public domain. Revised in subsequent years, still public domain. # # There's absolutely no warranty. # # The homepage URL for this framework is: # # http://www.openwall.com/phpass/ # # Please be sure to update the Version line if you edit this file in any way. # It is suggested that you leave the main version number intact, but indicate # your project name (after the slash) and add your own revision information. # # Please do not change the "private" password hashing method implemented in # here, thereby making your hashes incompatible. However, if you must, please # change the hash type identifier (the "$P$") to something different. # # Obviously, since this code is in the public domain, the above are not # requirements (there can be none), but merely suggestions. # class WpPasswordHash { var $itoa64; var $iteration_count_log2; var $portable_hashes; var $random_state; function WpPasswordHash($iteration_count_log2, $portable_hashes) { $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) $iteration_count_log2 = 8; $this->iteration_count_log2 = $iteration_count_log2; $this->portable_hashes = $portable_hashes; $random_state = microtime() . getmypid(); } function get_random_bytes($count) { $output = ''; if (($fh = @fopen('/dev/urandom', 'rb'))) { $output = fread($fh, $count); fclose($fh); } if (strlen($output) < $count) { $output = ''; for ($i = 0; $i < $count; $i += 16) { $this->random_state = md5(microtime() . $this->random_state); $output .= pack('H*', md5($this->random_state)); } $output = substr($output, 0, $count); } return $output; } function encode64($input, $count) { $output = ''; $i = 0; do { $value = ord($input[$i++]); $output .= $this->itoa64[$value & 0x3f]; if ($i < $count) $value |= ord($input[$i]) << 8; $output .= $this->itoa64[($value >> 6) & 0x3f]; if ($i++ >= $count) break; if ($i < $count) $value |= ord($input[$i]) << 16; $output .= $this->itoa64[($value >> 12) & 0x3f]; if ($i++ >= $count) break; $output .= $this->itoa64[($value >> 18) & 0x3f]; } while ($i < $count); return $output; } function gensalt_private($input) { $output = '$P$'; $output .= $this->itoa64[min($this->iteration_count_log2 + ((PHP_VERSION >= '5') ? 5 : 3), 30)]; $output .= $this->encode64($input, 6); return $output; } function crypt_private($password, $setting) { $output = '*0'; if (substr($setting, 0, 2) == $output) $output = '*1'; if (substr($setting, 0, 3) != '$P$') return $output; $count_log2 = strpos($this->itoa64, $setting[3]); if ($count_log2 < 7 || $count_log2 > 30) return $output; $count = 1 << $count_log2; $salt = substr($setting, 4, 8); if (strlen($salt) != 8) return $output; # We're kind of forced to use MD5 here since it's the only # cryptographic primitive available in all versions of PHP # currently in use. To implement our own low-level crypto # in PHP would result in much worse performance and # consequently in lower iteration counts and hashes that are # quicker to crack (by non-PHP code). if (PHP_VERSION >= '5') { $hash = md5($salt . $password, TRUE); do { $hash = md5($hash . $password, TRUE); } while (--$count); } else { $hash = pack('H*', md5($salt . $password)); do { $hash = pack('H*', md5($hash . $password)); } while (--$count); } $output = substr($setting, 0, 12); $output .= $this->encode64($hash, 16); return $output; } function gensalt_extended($input) { $count_log2 = min($this->iteration_count_log2 + 8, 24); # This should be odd to not reveal weak DES keys, and the # maximum valid value is (2**24 - 1) which is odd anyway. $count = (1 << $count_log2) - 1; $output = '_'; $output .= $this->itoa64[$count & 0x3f]; $output .= $this->itoa64[($count >> 6) & 0x3f]; $output .= $this->itoa64[($count >> 12) & 0x3f]; $output .= $this->itoa64[($count >> 18) & 0x3f]; $output .= $this->encode64($input, 3); return $output; } function gensalt_blowfish($input) { # This one needs to use a different order of characters and a # different encoding scheme from the one in encode64() above. # We care because the last character in our encoded string will # only represent 2 bits. While two known implementations of # bcrypt will happily accept and correct a salt string which # has the 4 unused bits set to non-zero, we do not want to take # chances and we also do not want to waste an additional byte # of entropy. $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; $output = '$2a$'; $output .= chr(ord('0') + $this->iteration_count_log2 / 10); $output .= chr(ord('0') + $this->iteration_count_log2 % 10); $output .= '$'; $i = 0; do { $c1 = ord($input[$i++]); $output .= $itoa64[$c1 >> 2]; $c1 = ($c1 & 0x03) << 4; if ($i >= 16) { $output .= $itoa64[$c1]; break; } $c2 = ord($input[$i++]); $c1 |= $c2 >> 4; $output .= $itoa64[$c1]; $c1 = ($c2 & 0x0f) << 2; $c2 = ord($input[$i++]); $c1 |= $c2 >> 6; $output .= $itoa64[$c1]; $output .= $itoa64[$c2 & 0x3f]; } while (1); return $output; } function HashPassword($password) { $random = ''; if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { $random = $this->get_random_bytes(16); $hash = crypt($password, $this->gensalt_blowfish($random)); if (strlen($hash) == 60) return $hash; } if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) { if (strlen($random) < 3) $random = $this->get_random_bytes(3); $hash = crypt($password, $this->gensalt_extended($random)); if (strlen($hash) == 20) return $hash; } if (strlen($random) < 6) $random = $this->get_random_bytes(6); $hash = $this->crypt_private($password, $this->gensalt_private($random)); if (strlen($hash) == 34) return $hash; # Returning '*' on error is safe here, but would _not_ be safe # in a crypt(3)-like function used _both_ for generating new # hashes and for validating passwords against existing hashes. return '*'; } function CheckPassword($password, $stored_hash) { $hash = $this->crypt_private($password, $stored_hash); if ($hash[0] == '*') $hash = crypt($password, $stored_hash); return $hash == $stored_hash; } } ?> 然后当你想验证密码时: 单独的 php 文件: $res = $this->_checkPassword($password, $res['User']['password']); private function _checkPassword($password, $hash) { $wp_hasher = new WpPasswordHash(8, true); $hashed_password = $wp_hasher->CheckPassword($password, $hash); return $hashed_password; } 对于加密: private function _encryptPwd($password) { $wp_hasher = new WpPasswordHash(8, true); $hashed_password = $wp_hasher->HashPassword($password); return $hashed_password; } 我希望你理解我的代码背后的逻辑。
如何检查php.ini / php有关加密的设置(BLOWFISH)
我的网站的用户登录功能突然停止在租用的服务器(网络托管服务)上工作(多年来它工作得很好。)因为我没有更改任何内容,数据库也是
必须定义py blowflish PY_SSIZE_T_CLEAN 宏
我将收到一个带有密钥的包,我需要用河豚解密它,但我收到此错误: 系统错误:必须为“#”格式定义 PY_SSIZE_T_CLEAN 宏 关于这个函数: ...
由于我对 Java 的不完全了解,我正在努力将此加密代码转换为 Python 代码。两者应该有完全相同的结果。帮助将不胜感激。 Java函数
我正在尝试分别使用 python 和 java 执行 twofish 和 blowfish 加密算法
对于我正在做的项目,我需要 创建不同大小的随机纯文本文件(我完成的) 然后生成随机加密密钥 然后加密和解密文件 查看资源...
public class Main {public static void main(String [] args){字符串结果= blowfish(“ 123123”); System.out.println(结果); } public static String blowfish(String source){final String ...
[phpMyAdmin在访问config.inc.php和blowfish_secret.inc.php时出错
我正在以下配置上运行phpMyAdmin 4.6.6deb5:Ubuntu Server 18.04.3 nginx / 1.17.9 7.2.24-0ubuntu0.18.04.3 phpMyAdmin似乎可以正常工作,但是有一条红色错误消息,指出...
php openssl_decrypt()参数(之前由perl Crypt :: CBC加密)
我的加密/解密环境在Perl中工作正常。从php读取信息是我正在寻找答案的问题。以下是我的测试用例,我希望php打印$ decryption ...
如何在Flutter / Dart中进行Blowfish CBC解密?我找不到任何支持它的库。 dbcrypt仅支持密码哈希,不支持cbc模式。谢谢。
我们正在尝试使用Blowfish + Hex编码来对具有相同长度(32)的几个输入字符串进行编码。问题在于最终编码的字符串并不总是具有我们期望的长度(32 ...
[Bcrypt / Blowfish无效盐,具有低的发数<04
似乎hashpw函数不允许具有多个回合<04的哈希。对于每个bcrypt版本,似乎都是这种情况> = 3.1.1作为向python 3的过渡,新的...] >
我有一堆加密文件,我想解密(呃)。经过一些研究,我发现他们使用224位密钥用Blowfish加密。我知道明文的前几个字节是什么...
如何使用blowfish进行加密在python和php之间发送加密消息?
我想使用blowfish使用已知密码在php中加密消息。然后我想在python中解密这个消息。即使您想用一种语言加密并解密,这也很有用。
我正在尝试使用Blowfish和CBC制作这个网站正在做什么https://codebeautify.org/encrypt-decrypt我不确定实际的术语是什么,但我想要实现的加密方法...
这是问题所在,字符串按以下顺序通过三个单独的加密:原始 - > Base64 - > AES-256 - > Blowfish(无密钥) - >最终。写一个拿这个的方法......
如何在PHP中使用crypt($ pass,'$ 2y $ 09 $ salt')=== crypt($ pass,crypt($ pass,'$ 2y $ 09 $ salt'))?
我确实对crypt()PHP函数感到困惑。当第二个crypt显然使用不同的第二个参数时,以下两个crypt函数如何提供相同的输出? Diff盐意味着......
可能重复:使用PHP加密和解密密码的最佳方式?我最近用PHP做了很多事情,想要建立我的第一个登录/注册系统。因此,我一直在做......
我正在尝试将一些加密(短)信息存储在cookie中。我正在生成一个短字符串(大约64个字符),使用generateSecretKey()生成密钥,并尝试AES或...