哈希密码_哈希生日和密码
哈希密碼
什么是哈希函數(shù)? (What is a Hash function?)
It’s an algorithm that maps an input of arbitrary length to a unique output of fixed length, this value is known as HASH, FINGERPRINT or DIGEST.
這是一種將任意長度的輸入映射到固定長度的唯一輸出的算法,該值稱為HASH,FINGERPRINT或DIGEST。
It is usually used to verify the integrity of data, in fact, digital signature algorithms are applied to the DIGEST and not to the entire document.
它通常用于驗(yàn)證數(shù)據(jù)的完整性,實(shí)際上,數(shù)字簽名算法應(yīng)用于DIGEST,而不應(yīng)用于整個(gè)文檔。
什么是碰撞? (What are collisions?)
Every input of HASH functions supposed to be mapped to a different output (DIGEST) but this is not always true, it’s possible to find two messages that may produce the same result, in this case, we have found a collision. That’s not all because for each message there are infinite collisions.
HASH函數(shù)的每個(gè)輸入都應(yīng)該映射到不同的輸出(DIGEST),但這并不總是正確的,有可能找到兩條可能產(chǎn)生相同結(jié)果的消息,在這種情況下,我們發(fā)現(xiàn)了沖突。 這還不是全部,因?yàn)槊織l消息都有無限的沖突。
所以呢? (So what?)
Security of HASH functions is based on the fact it’s very hard to find collisions knowing the hashed message. This is fundamental, let’s suppose we have digitally signed a document, someone knowing it may compute a variant disadvantageous for us, that collides that is to say it produces the same DIGEST.
HASH函數(shù)的安全性基于這樣一個(gè)事實(shí),即在知道哈希消息的情況下很難發(fā)現(xiàn)沖突。 這是基礎(chǔ),假設(shè)我們已經(jīng)對(duì)文檔進(jìn)行了數(shù)字簽名,有人知道該文檔可能會(huì)對(duì)我們產(chǎn)生不利影響的變體,發(fā)生沖突,也就是說它產(chǎn)生相同的DIGEST。
So when using a HASH function we have to be sure it’s computationally impossible to find a collision, this safety is based on the birthday paradox.
因此,在使用哈希函數(shù)時(shí),我們必須確保在計(jì)算上不可能找到碰撞,這種安全性是基于生日悖論。
什么是生日悖論? (What is the Birthday paradox?)
It is based on the question: “How many people have I to consider, to have a probability greater than the 50% to have at least 2 people born on the same day?”
它基于以下問題:“ 我要考慮多少人,同一天出生至少2個(gè)人的概率大于50%? ”
So we have to consider couples of people, given n people, we can compute the total amount of couples using the simple combination formula :
因此,我們必須考慮一對(duì)夫婦,給定n個(gè)人,我們可以使用簡單的組合公式計(jì)算夫婦的總數(shù):
where n indicates the number of people a k the size of the group, in our case a couple so 2.
其中n表示人數(shù)等于小組人數(shù)的k ,在本例中為2。
With 57 people the probability that two of them are born on the same day is 99% considering we have 1596 couples and the day in a year are 365, so skipping calculations, the answer is 23 (253 couples)
考慮到我們有1596對(duì)夫婦,并且一年中的一天是365對(duì),因此有57個(gè)人的兩個(gè)人在同一天出生的概率為99%,因此跳過計(jì)算,答案是23(253對(duì)夫婦)
哈希函數(shù)中的生日悖論 (Birthday paradox in Hash function)
The same thinking can be applied in HASH functions, and it’s known that we have a probability greater than 50% of finding a collision for 2^n/2 possible inputs, where n stands for the number of bits composing the DIGEST.
可以在HASH函數(shù)中應(yīng)用相同的思路,并且眾所周知,對(duì)于2 ^ n / 2個(gè)可能的輸入,我們有大于50%的概率找到碰撞,其中n代表組成DIGEST的位數(shù)。
Here’s a table showing Bits and the number of values to consider.
下表顯示了位數(shù)和要考慮的值數(shù)。
Image By opine.me圖片來自opine.me生日襲擊 (Birthday attack)
It consists of computing n/2 variants of the original document to find a collision. That’s because it’s important to use at least a 256-bit DIGEST.
它由計(jì)算原始文檔的n / 2個(gè)變體來查找沖突。 這是因?yàn)橹辽僖褂?56位DIGEST很重要。
身份驗(yàn)證和哈希 (Authentication and Hashing)
Hashing is very good to store password because its transformation is mathematically irreversible, and they are deterministic.
哈希存儲(chǔ)密碼非常好,因?yàn)樗霓D(zhuǎn)換在數(shù)學(xué)上是不可逆的,并且是確定性的 。
A deterministic function is a function that given the same input always produces the same output. Obviously this is a must in authentication because it would be a big problem if a password may log in to different accounts.
確定性函數(shù)是給定相同輸入總是產(chǎn)生相同輸出的函數(shù)。 顯然,這是身份驗(yàn)證中必須的,因?yàn)槿绻艽a可以登錄到其他帳戶,這將是一個(gè)大問題。
So when saving user credentials we store the username and the hashed password in the DB. When the user logs in, we hash the password sent and compare it to the hash connected with the provided username. If the hashed password and the stored hash match, we have a valid login.
因此,在保存用戶憑據(jù)時(shí),我們將用戶名和哈希密碼存儲(chǔ)在數(shù)據(jù)庫中。 當(dāng)用戶登錄時(shí),我們對(duì)發(fā)送的密碼進(jìn)行哈希處理,并將其與與提供的用戶名連接的哈希進(jìn)行比較。 如果哈希密碼和存儲(chǔ)的哈希密碼匹配,則我們具有有效的登錄名。
我應(yīng)該使用它們來存儲(chǔ)密碼嗎? (Should I use them to store passwords?)
The short answer is yes but …
簡短的答案是,但是……
In recent times it’s advised to avoid hashing to store passwords because it’s a fast operation not meant to be computationally fast by reducing password safety. For example, modern hardware could compute billions of SHA-256 per second. Instead of a fast function, we need a function that is slow at hashing passwords to bring attackers almost to a halt.
在最近的時(shí)間里,建議避免散列存儲(chǔ)密碼,因?yàn)檫@是一項(xiàng)快速操作,并不意味著通過降低密碼安全性來實(shí)現(xiàn)計(jì)算速度快。 例如,現(xiàn)代硬件每秒可以計(jì)算數(shù)十億個(gè)SHA-256 。 除了快速功能之外,我們還需要一個(gè)散列密碼速度較慢的功能,以使攻擊者幾乎無法使用。
It’s common to use hash functions like bcrypt (Blowfish-crypt) which is an adaptive function: the iteration count of rounds can be increased to make it slower, so it remains resistant to brute force attacks even with increasing computation power.
通常使用像bcrypt (Blowfish-crypt)這樣的散列函數(shù),這是一種自適應(yīng)函數(shù):可以增加回合的迭代次數(shù)以使其變慢,因此即使提高了計(jì)算能力,它仍然可以抵抗暴力攻擊。
結(jié)論 (Conclusions)
Let’s recap what we’ve learned through this article:
讓我們回顧一下通過本文中學(xué)到的內(nèi)容:
- The core purpose of hashing is to create a fingerprint of data to assess data integrity. 哈希的核心目的是創(chuàng)建數(shù)據(jù)指紋以評(píng)估數(shù)據(jù)完整性。
- Hashing functions take arbitrary inputs and transform them into outputs of a fixed length. 散列函數(shù)采用任意輸入并將其轉(zhuǎn)換為固定長度的輸出。
- Hashing is not sufficient to protect passwords for mass exploitation, it’s safer to use cryptographic salts. 散列不足以保護(hù)密碼以供大規(guī)模利用,而使用加密鹽則更安全。
MD5 and SHA-1 have been reported as being vulnerable due to collisions. The SHA-2 family stands as a better option.
據(jù)報(bào)道, MD5和SHA-1由于碰撞而容易受到攻擊。 SHA-2系列是更好的選擇。
SHA family is not ideal to store password because it’s very fast so vulnerable to brute-force attacks, it’s better to use functions like bcrypt
SHA系列不是理想的存儲(chǔ)密碼,因?yàn)樗浅??#xff0c;容易受到暴力攻擊,因此最好使用bcrypt之類的功能
翻譯自: https://medium.com/swlh/hashing-birthday-and-passwords-254756df55b7
哈希密碼
總結(jié)
以上是生活随笔為你收集整理的哈希密码_哈希生日和密码的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: wsappx关不掉_win10的appm
- 下一篇: 微信自动打招呼功能