Hash 验证bcrypt哈希?
在这个问题上: 伊恩·博伊德在回答的最后写道: 有了这些知识,您现在可以根据保存的哈希验证密码Hash 验证bcrypt哈希?,hash,bcrypt,verify,Hash,Bcrypt,Verify,在这个问题上: 伊恩·博伊德在回答的最后写道: 有了这些知识,您现在可以根据保存的哈希验证密码correctbatteryhorsestapler: $2a$12$MACNM5LZNIGHMAF7O1POLCBGL4TYUF0N/4rS9CwDsI7ytwL4D6 我正在使用以下Perl程序尝试验证此哈希: use Crypt::Eksblowfish::Bcrypt qw(bcrypt); my $password = "correctbatteryhorsestapler"; my $ha
correctbatteryhorsestapler
:
$2a$12$MACNM5LZNIGHMAF7O1POLCBGL4TYUF0N/4rS9CwDsI7ytwL4D6
我正在使用以下Perl程序尝试验证此哈希:
use Crypt::Eksblowfish::Bcrypt qw(bcrypt);
my $password = "correctbatteryhorsestapler";
my $hash = '$2a$12$mACnM5lzNigHMaf7O1py1OLCBgGL4tYUF0N/4rS9CwDsI7ytwL4D6';
print "Verifying password $password<br>with hash $hash<BR><BR>";
my $new_hash = bcrypt($password,$hash);
print "<pre>Original hash: " . $hash . "<br>" . "New hash: " . $new_hash . "</pre><br>";
if ($hash ne $new_hash) {
print "No match.";
}
根据上面的信息,我想知道是否有人能告诉我Perl脚本的错误(为什么它不能正确验证密码)?如果我使用我的系统生成的哈希,我会得到一个匹配项:
$2a$12$mACnM5lzNigHMaf7O1py1O3vlf6.BA8k8x3IoJ.Tq3IB/2e7g61Km
我在两个不同的系统上得到了相同的结果(一个CentOS运行eksblowfish 0.009,另一个Win7 64位运行eksblowfish 0.007,都运行Perl 5.8.8)
我在实践中学习,所以我希望理解为什么这对我不起作用。答案是这是我的错。我在问题中为
correctbatteryhorsestapler
给出了错误的哈希值
我选了一个真正的杂烩;但由于不想泄露密码,我把它改成了对的引用
我应该花额外的时间为correctbatteryhorsestapler
生成一个实际哈希:
('', '$2a$06$DCq7YPn5Rq63x1Lad4cll.', '$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s.'),
('', '$2a$08$HqWuK6/Ng6sg9gQzbLrgb.', '$2a$08$HqWuK6/Ng6sg9gQzbLrgb.Tl.ZHfXLhvt/SgVyWhQqgqcZ7ZuUtye'),
('', '$2a$10$k1wbIrmNyFAPwPVPSVa/ze', '$2a$10$k1wbIrmNyFAPwPVPSVa/zecw2BCEnBwVS2GbrmgzxFUOqW9dk4TCW'),
('', '$2a$12$k42ZFHFWqBp3vWli.nIn8u', '$2a$12$k42ZFHFWqBp3vWli.nIn8uYyIkbvYRvodzbfbK18SSsY.CsIQPlxO'),
('a', '$2a$06$m0CrhHm10qJ3lXRY.5zDGO', '$2a$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe'),
('a', '$2a$08$cfcvVd2aQ8CMvoMpP2EBfe', '$2a$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V.'),
('a', '$2a$10$k87L/MF28Q673VKh8/cPi.', '$2a$10$k87L/MF28Q673VKh8/cPi.SUl7MU/rWuSiIDDFayrKk/1tBsSQu4u'),
('a', '$2a$12$8NJH3LsPrANStV6XtBakCe', '$2a$12$8NJH3LsPrANStV6XtBakCez0cKHXVxmvxIlcz785vxAIZrihHZpeS'),
('abc', '$2a$06$If6bvum7DFjUnE9p2uDeDu', '$2a$06$If6bvum7DFjUnE9p2uDeDu0YHzrHM6tf.iqN8.yx.jNN1ILEf7h0i'),
('abc', '$2a$08$Ro0CUfOqk6cXEKf3dyaM7O', '$2a$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm'),
('abc', '$2a$10$WvvTPHKwdBJ3uk0Z37EMR.', '$2a$10$WvvTPHKwdBJ3uk0Z37EMR.hLA2W6N9AEBhEgrAOljy2Ae5MtaSIUi'),
('abc', '$2a$12$EXRkfkdmXn2gzds2SSitu.', '$2a$12$EXRkfkdmXn2gzds2SSitu.MW9.gAVqa9eLS1//RYtYCmB1eLHg.9q'),
('abcdefghijklmnopqrstuvwxyz', '$2a$06$.rCVZVOThsIa97pEDOxvGu', '$2a$06$.rCVZVOThsIa97pEDOxvGuRRgzG64bvtJ0938xuqzv18d3ZpQhstC'),
('abcdefghijklmnopqrstuvwxyz', '$2a$08$aTsUwsyowQuzRrDqFflhge', '$2a$08$aTsUwsyowQuzRrDqFflhgekJ8d9/7Z3GV3UcgvzQW3J5zMyrTvlz.'),
('abcdefghijklmnopqrstuvwxyz', '$2a$10$fVH8e28OQRj9tqiDXs1e1u', '$2a$10$fVH8e28OQRj9tqiDXs1e1uxpsjN0c7II7YPKXua2NAKYvM6iQk7dq'),
('abcdefghijklmnopqrstuvwxyz', '$2a$12$D4G5f18o7aMMfwasBL7Gpu', '$2a$12$D4G5f18o7aMMfwasBL7GpuQWuP3pkrZrOAnqP.bmezbMng.QwJ/pG'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$06$fPIsBO8qRqkjj273rfaOI.', '$2a$06$fPIsBO8qRqkjj273rfaOI.HtSV9jLDpTbZn782DC6/t7qT67P6FfO'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$08$Eq2r4G/76Wv39MzSX262hu', '$2a$08$Eq2r4G/76Wv39MzSX262huzPz612MZiYHVUJe/OcOql2jo4.9UxTW'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$10$LgfYWkbzEvQ4JakH7rOvHe', '$2a$10$LgfYWkbzEvQ4JakH7rOvHe0y8pHKF9OaFgwUZ2q7W2FFZmZzJYlfS'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$12$WApznUOJfkEGSmYRfnkrPO', '$2a$12$WApznUOJfkEGSmYRfnkrPOr466oFDCaj4b6HY3EXGvfxm43seyhgC')
混乱是我的错。在最初的问题中,我的意思是,因为现在你已经准备好进入这个世界,它不是一个实际的测试向量
您可能需要查看一些实际的: 还有一些测试可以确保它不会在Unicode字符上失败。给定UTF-8时,某个实现中存在崩溃的错误:
- 密码:
希腊文小写字母Pi(U+03C0),八次重复π
那是盐吗?如:
bcrypt($password,$hash)
我假设如果它是一个salt,那么它只会作为salt呈现(没有$2a$12$identifier+work factor),但这可能是我误解的症结所在?通过一个散列,bcrypt应该能够提取salt(这就是它如何验证的,对吗?)。salt是最后一个$之后的前22个字符。请尝试对$2a$12$mACnM5lzNigHMaf7O1py1O
进行b加密。您还可以尝试对“correcthorsebatterystaple”、“correctbatteryhorststaple”进行字典攻击,etc@Wugbcrypt知道盐是什么;如果我将尝试验证的哈希值更改为$2a$12$macnm5lznighmaf7o1py1oblahblah
它仍然返回相同的结果$2a$12$mACnM5lzNigHMaf7O1py1O3vlf6.BA8k8x3IoJ.Tq3IB/2e7g61Km
。你对字典攻击的评论让我相信你认为Ian可能在他的示例中输入了错误的密码?谢谢Ian,我感谢你的后续行动。以下是一些测试向量:
$2a$12$mACnM5lzNigHMaf7O1py1O3vlf6.BA8k8x3IoJ.Tq3IB/2e7g61Km
('', '$2a$06$DCq7YPn5Rq63x1Lad4cll.', '$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s.'),
('', '$2a$08$HqWuK6/Ng6sg9gQzbLrgb.', '$2a$08$HqWuK6/Ng6sg9gQzbLrgb.Tl.ZHfXLhvt/SgVyWhQqgqcZ7ZuUtye'),
('', '$2a$10$k1wbIrmNyFAPwPVPSVa/ze', '$2a$10$k1wbIrmNyFAPwPVPSVa/zecw2BCEnBwVS2GbrmgzxFUOqW9dk4TCW'),
('', '$2a$12$k42ZFHFWqBp3vWli.nIn8u', '$2a$12$k42ZFHFWqBp3vWli.nIn8uYyIkbvYRvodzbfbK18SSsY.CsIQPlxO'),
('a', '$2a$06$m0CrhHm10qJ3lXRY.5zDGO', '$2a$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe'),
('a', '$2a$08$cfcvVd2aQ8CMvoMpP2EBfe', '$2a$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V.'),
('a', '$2a$10$k87L/MF28Q673VKh8/cPi.', '$2a$10$k87L/MF28Q673VKh8/cPi.SUl7MU/rWuSiIDDFayrKk/1tBsSQu4u'),
('a', '$2a$12$8NJH3LsPrANStV6XtBakCe', '$2a$12$8NJH3LsPrANStV6XtBakCez0cKHXVxmvxIlcz785vxAIZrihHZpeS'),
('abc', '$2a$06$If6bvum7DFjUnE9p2uDeDu', '$2a$06$If6bvum7DFjUnE9p2uDeDu0YHzrHM6tf.iqN8.yx.jNN1ILEf7h0i'),
('abc', '$2a$08$Ro0CUfOqk6cXEKf3dyaM7O', '$2a$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm'),
('abc', '$2a$10$WvvTPHKwdBJ3uk0Z37EMR.', '$2a$10$WvvTPHKwdBJ3uk0Z37EMR.hLA2W6N9AEBhEgrAOljy2Ae5MtaSIUi'),
('abc', '$2a$12$EXRkfkdmXn2gzds2SSitu.', '$2a$12$EXRkfkdmXn2gzds2SSitu.MW9.gAVqa9eLS1//RYtYCmB1eLHg.9q'),
('abcdefghijklmnopqrstuvwxyz', '$2a$06$.rCVZVOThsIa97pEDOxvGu', '$2a$06$.rCVZVOThsIa97pEDOxvGuRRgzG64bvtJ0938xuqzv18d3ZpQhstC'),
('abcdefghijklmnopqrstuvwxyz', '$2a$08$aTsUwsyowQuzRrDqFflhge', '$2a$08$aTsUwsyowQuzRrDqFflhgekJ8d9/7Z3GV3UcgvzQW3J5zMyrTvlz.'),
('abcdefghijklmnopqrstuvwxyz', '$2a$10$fVH8e28OQRj9tqiDXs1e1u', '$2a$10$fVH8e28OQRj9tqiDXs1e1uxpsjN0c7II7YPKXua2NAKYvM6iQk7dq'),
('abcdefghijklmnopqrstuvwxyz', '$2a$12$D4G5f18o7aMMfwasBL7Gpu', '$2a$12$D4G5f18o7aMMfwasBL7GpuQWuP3pkrZrOAnqP.bmezbMng.QwJ/pG'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$06$fPIsBO8qRqkjj273rfaOI.', '$2a$06$fPIsBO8qRqkjj273rfaOI.HtSV9jLDpTbZn782DC6/t7qT67P6FfO'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$08$Eq2r4G/76Wv39MzSX262hu', '$2a$08$Eq2r4G/76Wv39MzSX262huzPz612MZiYHVUJe/OcOql2jo4.9UxTW'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$10$LgfYWkbzEvQ4JakH7rOvHe', '$2a$10$LgfYWkbzEvQ4JakH7rOvHe0y8pHKF9OaFgwUZ2q7W2FFZmZzJYlfS'),
('~!@#$%^&*() ~!@#$%^&*()PNBFRD', '$2a$12$WApznUOJfkEGSmYRfnkrPO', '$2a$12$WApznUOJfkEGSmYRfnkrPOr466oFDCaj4b6HY3EXGvfxm43seyhgC')
$2a$10$.TtQJ4Jr6isd4Hp.mVfZeuh6Gws4rOQ/vdBczhDx.19NFK0Y84Dle