哈希密码_哈希生日和密码
哈希密碼
什么是哈希函數? (What is a Hash function?)
It’s an algorithm that maps an input of arbitrary length to a unique output of fixed length, this value is known as HASH, FINGERPRINT or DIGEST.
這是一種將任意長度的輸入映射到固定長度的唯一輸出的算法,該值稱為HASH,FINGERPRINT或DIGEST。
It is usually used to verify the integrity of data, in fact, digital signature algorithms are applied to the DIGEST and not to the entire document.
它通常用于驗證數據的完整性,實際上,數字簽名算法應用于DIGEST,而不應用于整個文檔。
什么是碰撞? (What are collisions?)
Every input of HASH functions supposed to be mapped to a different output (DIGEST) but this is not always true, it’s possible to find two messages that may produce the same result, in this case, we have found a collision. That’s not all because for each message there are infinite collisions.
HASH函數的每個輸入都應該映射到不同的輸出(DIGEST),但這并不總是正確的,有可能找到兩條可能產生相同結果的消息,在這種情況下,我們發現了沖突。 這還不是全部,因為每條消息都有無限的沖突。
所以呢? (So what?)
Security of HASH functions is based on the fact it’s very hard to find collisions knowing the hashed message. This is fundamental, let’s suppose we have digitally signed a document, someone knowing it may compute a variant disadvantageous for us, that collides that is to say it produces the same DIGEST.
HASH函數的安全性基于這樣一個事實,即在知道哈希消息的情況下很難發現沖突。 這是基礎,假設我們已經對文檔進行了數字簽名,有人知道該文檔可能會對我們產生不利影響的變體,發生沖突,也就是說它產生相同的DIGEST。
So when using a HASH function we have to be sure it’s computationally impossible to find a collision, this safety is based on the birthday paradox.
因此,在使用哈希函數時,我們必須確保在計算上不可能找到碰撞,這種安全性是基于生日悖論。
什么是生日悖論? (What is the Birthday paradox?)
It is based on the question: “How many people have I to consider, to have a probability greater than the 50% to have at least 2 people born on the same day?”
它基于以下問題:“ 我要考慮多少人,同一天出生至少2個人的概率大于50%? ”
So we have to consider couples of people, given n people, we can compute the total amount of couples using the simple combination formula :
因此,我們必須考慮一對夫婦,給定n個人,我們可以使用簡單的組合公式計算夫婦的總數:
where n indicates the number of people a k the size of the group, in our case a couple so 2.
其中n表示人數等于小組人數的k ,在本例中為2。
With 57 people the probability that two of them are born on the same day is 99% considering we have 1596 couples and the day in a year are 365, so skipping calculations, the answer is 23 (253 couples)
考慮到我們有1596對夫婦,并且一年中的一天是365對,因此有57個人的兩個人在同一天出生的概率為99%,因此跳過計算,答案是23(253對夫婦)
哈希函數中的生日悖論 (Birthday paradox in Hash function)
The same thinking can be applied in HASH functions, and it’s known that we have a probability greater than 50% of finding a collision for 2^n/2 possible inputs, where n stands for the number of bits composing the DIGEST.
可以在HASH函數中應用相同的思路,并且眾所周知,對于2 ^ n / 2個可能的輸入,我們有大于50%的概率找到碰撞,其中n代表組成DIGEST的位數。
Here’s a table showing Bits and the number of values to consider.
下表顯示了位數和要考慮的值數。
Image By opine.me圖片來自opine.me生日襲擊 (Birthday attack)
It consists of computing n/2 variants of the original document to find a collision. That’s because it’s important to use at least a 256-bit DIGEST.
它由計算原始文檔的n / 2個變體來查找沖突。 這是因為至少要使用256位DIGEST很重要。
身份驗證和哈希 (Authentication and Hashing)
Hashing is very good to store password because its transformation is mathematically irreversible, and they are deterministic.
哈希存儲密碼非常好,因為它的轉換在數學上是不可逆的,并且是確定性的 。
A deterministic function is a function that given the same input always produces the same output. Obviously this is a must in authentication because it would be a big problem if a password may log in to different accounts.
確定性函數是給定相同輸入總是產生相同輸出的函數。 顯然,這是身份驗證中必須的,因為如果密碼可以登錄到其他帳戶,這將是一個大問題。
So when saving user credentials we store the username and the hashed password in the DB. When the user logs in, we hash the password sent and compare it to the hash connected with the provided username. If the hashed password and the stored hash match, we have a valid login.
因此,在保存用戶憑據時,我們將用戶名和哈希密碼存儲在數據庫中。 當用戶登錄時,我們對發送的密碼進行哈希處理,并將其與與提供的用戶名連接的哈希進行比較。 如果哈希密碼和存儲的哈希密碼匹配,則我們具有有效的登錄名。
我應該使用它們來存儲密碼嗎? (Should I use them to store passwords?)
The short answer is yes but …
簡短的答案是,但是……
In recent times it’s advised to avoid hashing to store passwords because it’s a fast operation not meant to be computationally fast by reducing password safety. For example, modern hardware could compute billions of SHA-256 per second. Instead of a fast function, we need a function that is slow at hashing passwords to bring attackers almost to a halt.
在最近的時間里,建議避免散列存儲密碼,因為這是一項快速操作,并不意味著通過降低密碼安全性來實現計算速度快。 例如,現代硬件每秒可以計算數十億個SHA-256 。 除了快速功能之外,我們還需要一個散列密碼速度較慢的功能,以使攻擊者幾乎無法使用。
It’s common to use hash functions like bcrypt (Blowfish-crypt) which is an adaptive function: the iteration count of rounds can be increased to make it slower, so it remains resistant to brute force attacks even with increasing computation power.
通常使用像bcrypt (Blowfish-crypt)這樣的散列函數,這是一種自適應函數:可以增加回合的迭代次數以使其變慢,因此即使提高了計算能力,它仍然可以抵抗暴力攻擊。
結論 (Conclusions)
Let’s recap what we’ve learned through this article:
讓我們回顧一下通過本文中學到的內容:
- The core purpose of hashing is to create a fingerprint of data to assess data integrity. 哈希的核心目的是創建數據指紋以評估數據完整性。
- Hashing functions take arbitrary inputs and transform them into outputs of a fixed length. 散列函數采用任意輸入并將其轉換為固定長度的輸出。
- Hashing is not sufficient to protect passwords for mass exploitation, it’s safer to use cryptographic salts. 散列不足以保護密碼以供大規模利用,而使用加密鹽則更安全。
MD5 and SHA-1 have been reported as being vulnerable due to collisions. The SHA-2 family stands as a better option.
據報道, MD5和SHA-1由于碰撞而容易受到攻擊。 SHA-2系列是更好的選擇。
SHA family is not ideal to store password because it’s very fast so vulnerable to brute-force attacks, it’s better to use functions like bcrypt
SHA系列不是理想的存儲密碼,因為它非常快,容易受到暴力攻擊,因此最好使用bcrypt之類的功能
翻譯自: https://medium.com/swlh/hashing-birthday-and-passwords-254756df55b7
哈希密碼
總結
以上是生活随笔為你收集整理的哈希密码_哈希生日和密码的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: wsappx关不掉_win10的appm
- 下一篇: 微信自动打招呼功能