开发者社区> 问答> 正文

如何安全的存储用户的密码四:hash源代码(.net)


代码下载
  1. /*  
  2. * Password Hashing With PBKDF2 (http://crackstation.net/hashing-security.htm).
  3. * Copyright (c) 2013, Taylor Hornby
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without  
  7. * modification, are permitted provided that the following conditions are met:
  8. *
  9. * 1. Redistributions of source code must retain the above copyright notice,  
  10. * this list of conditions and the following disclaimer.
  11. *
  12. * 2. Redistributions in binary form must reproduce the above copyright notice,
  13. * this list of conditions and the following disclaimer in the documentation  
  14. * and/or other materials provided with the distribution.
  15. *
  16. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"  
  17. * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE  
  18. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE  
  19. * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE  
  20. * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR  
  21. * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF  
  22. * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS  
  23. * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN  
  24. * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)  
  25. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE  
  26. * POSSIBILITY OF SUCH DAMAGE.
  27. */
  28. using System;
  29. using System.Text;
  30. using System.Security.Cryptography;
  31. namespace PasswordHash
  32. {
  33.     /// <summary>
  34.     /// Salted password hashing with PBKDF2-SHA1.
  35.     /// Author: havoc AT defuse.ca
  36.     /// www: http://crackstation.net/hashing-security.htm
  37.     /// Compatibility: .NET 3.0 and later.
  38.     /// </summary>
  39.     public class PasswordHash
  40.     {
  41.         // The following constants may be changed without breaking existing hashes.
  42.         public const int SALT_BYTE_SIZE = 24;
  43.         public const int HASH_BYTE_SIZE = 24;
  44.         public const int PBKDF2_ITERATIONS = 1000;
  45.         public const int ITERATION_INDEX = 0;
  46.         public const int SALT_INDEX = 1;
  47.         public const int PBKDF2_INDEX = 2;
  48.         /// <summary>
  49.         /// Creates a salted PBKDF2 hash of the password.
  50.         /// </summary>
  51.         /// <param name="password">The password to hash.</param>
  52.         /// <returns>The hash of the password.</returns>
  53.         public static string CreateHash(string password)
  54.         {
  55.             // Generate a random salt
  56.             RNGCryptoServiceProvider csprng = new RNGCryptoServiceProvider();
  57.             byte[] salt = new byte[SALT_BYTE_SIZE];
  58.             csprng.GetBytes(salt);
  59.             // Hash the password and encode the parameters
  60.             byte[] hash = PBKDF2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);
  61.             return PBKDF2_ITERATIONS + ":" +
  62.                 Convert.ToBase64String(salt) + ":" +
  63.                 Convert.ToBase64String(hash);
  64.         }
  65.         /// <summary>
  66.         /// Validates a password given a hash of the correct one.
  67.         /// </summary>
  68.         /// <param name="password">The password to check.</param>
  69.         /// <param name="correctHash">A hash of the correct password.</param>
  70.         /// <returns>True if the password is correct. False otherwise.</returns>
  71.         public static bool ValidatePassword(string password, string correctHash)
  72.         {
  73.             // Extract the parameters from the hash
  74.             char[] delimiter = { ':' };
  75.             string[] split = correctHash.Split(delimiter);
  76.             int iterations = Int32.Parse(split[ITERATION_INDEX]);
  77.             byte[] salt = Convert.FromBase64String(split[SALT_INDEX]);
  78.             byte[] hash = Convert.FromBase64String(split[PBKDF2_INDEX]);
  79.             byte[] testHash = PBKDF2(password, salt, iterations, hash.Length);
  80.             return SlowEquals(hash, testHash);
  81.         }
  82.         /// <summary>
  83.         /// Compares two byte arrays in length-constant time. This comparison
  84.         /// method is used so that password hashes cannot be extracted from
  85.         /// on-line systems using a timing attack and then attacked off-line.
  86.         /// </summary>
  87.         /// <param name="a">The first byte array.</param>
  88.         /// <param name="b">The second byte array.</param>
  89.         /// <returns>True if both byte arrays are equal. False otherwise.</returns>
  90.         private static bool SlowEquals(byte[] a, byte[] b)
  91.         {
  92.             uint diff = (uint)a.Length ^ (uint)b.Length;
  93.             for (int i = 0; i < a.Length && i < b.Length; i++)
  94.                 diff |= (uint)(a ^ b);
  95.             return diff == 0;
  96.         }
  97.         /// <summary>
  98.         /// Computes the PBKDF2-SHA1 hash of a password.
  99.         /// </summary>
  100.         /// <param name="password">The password to hash.</param>
  101.         /// <param name="salt">The salt.</param>
  102.         /// <param name="iterations">The PBKDF2 iteration count.</param>
  103.         /// <param name="outputBytes">The length of the hash to generate, in bytes.</param>
  104.         /// <returns>A hash of the password.</returns>
  105.         private static byte[] PBKDF2(string password, byte[] salt, int iterations, int outputBytes)
  106.         {
  107.             Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(password, salt);
  108.             pbkdf2.IterationCount = iterations;
  109.             return pbkdf2.GetBytes(outputBytes);
  110.         }
  111.     }
  112. }


附Php,Java,C#的Hash代码:



如何安全的存储用户的密码一:常见攻击方法




如何安全的存储用户密码二:加密源代码(php)



如何安全的存储用户密码三:hash源代码(java)




展开
收起
千鸟 2014-07-02 16:00:44 8346 0
1 条回答
写回答
取消 提交回答
  • 您的帖子很精彩!希望很快能再分享您的下一帖!
    2014-07-03 14:02:00
    赞同 展开评论 打赏
问答排行榜
最热
最新

相关电子书

更多
低代码开发师(初级)实战教程 立即下载
冬季实战营第三期:MySQL数据库进阶实战 立即下载
阿里巴巴DevOps 最佳实践手册 立即下载