使用 PHP 的 crypt 的河豚盐的正确格式是什么?

2021-12-27 00:00:00 hash salt php blowfish crypt

我已阅读 PHP 手册条目 crypt() 中提供的信息,但我发现自己仍然不确定触发 Blowfish 算法的盐的格式.

根据手动输入,我应该使用 '$2$' 或 '$2a$' 作为 16 个字符的字符串的开始.然而,在后面给出的例子中,他们使用了一个更长的字符串:'$2a$07$usesomesillystringforsalt$',这向我表明我提供的任何字符串都将被切片和切块以适应模型.

我遇到的问题实际上是触发 Blowfish 算法 vs STD_DES.示例:

$foo = 'foo';$salt = '$2a$' .hash('漩涡', $foo);//128 个字符,将被截断$hash = crypt($foo, $salt);//$hash = $26HdMTpoODt6

那个散列显然不是漩涡,实际上是STD_DES,只有盐的前两个字符用于盐.但是,在 PHP 手册的示例中,它们的 salt 以$2a$07$"开头,因此如果我将这三个字符添加到同一代码中,则会得到以下结果:

$foo = 'foo';$salt = '$2a$' .hash('漩涡', $foo);//128 个字符,将被截断$hash = crypt($foo, $salt);//$hash = $2a$07$b1b2ee48991281a439da2OHi1vZF8Z2zIA.8njYZKR.9iBehxLoIC

我注意到我可以在此处显示为07$"的字符中提供一些差异,例如 04$15$ 都有效,但 01$03$ 不起作用(生成一个空白字符串),以及诸如 99$ 之类的值和 85$ 导致它再次恢复为 STD_DES.

问题:

'$2a$' 字符串后面的这三个字符的意义是什么,正如我在手册中所相信的那样,指示 crypt 函数使用河豚方法.

根据手册,'$2a$'应该足以指示crypt()使用blowfish方法;那么,以下三个字符的意义是什么?那么,如果这三个字符如此重要,那么盐的正确格式是什么?

解决方案

2a 后面的数字指定了要执行的轮数的 log2.例如,10 表示做 1024 轮.通常,10 是正常的.不要使用太大的数字,否则您的密码将需要很长时间才能验证.

参见 为什么 BCrypt.net GenerateSalt(31) 立即返回? 相关的东西.:-)

I have read the information provided on the PHP Manual Entry for crypt(), but I find myself still unsure of the format for a salt to trigger the Blowfish algorithm.

According manual entry, I should use '$2$' or '$2a$' as the start of a 16 character string. However, in the example given later, they use a much longer string: '$2a$07$usesomesillystringforsalt$', which indicates to me that whatever string I provide will be sliced and diced to fit the model.

The problem I am encountering is actually triggering the Blowfish algo vs STD_DES. Example:

$foo = 'foo';
$salt = '$2a$' . hash('whirlpool', $foo); // 128 characters, will be truncated
$hash = crypt($foo, $salt); 
// $hash = $26HdMTpoODt6

That hash is obviously not whirlpool, and is in fact STD_DES with only the first two characters of the salt being used for the salt. However, in the PHP Manual's example, their salt starts with '$2a$07$', so if I add those three characters to the same code I get the following:

$foo = 'foo';
$salt = '$2a$' . hash('whirlpool', $foo); // 128 characters, will be truncated
$hash = crypt($foo, $salt); 
// $hash = $2a$07$b1b2ee48991281a439da2OHi1vZF8Z2zIA.8njYZKR.9iBehxLoIC

I've noticed I can provide some variance in the characters which are here shown as '07$', for example 04$ and 15$ both work, but 01$ through 03$ don't work (generates a blank string), and values such as 99$ and 85$ cause it to revert to STD_DES again.

The Question:

What is the significance of those three characters following the '$2a$' string which, as I am lead to believe by the manual, instruct the crypt function to use the blowfish method.

According to the manual, '$2a$' should be enough to instruct crypt() to use the blowfish method; what, then, is the significance of the following three characters? What then, is the correct format for a salt, if these three characters are so significant?

解决方案

The number following the 2a specifies the log2 of the number of rounds to perform. For example, 10 means do 1024 rounds. Usually, 10 is normal. Don't use numbers that are too big, or your password will take forever to verify.

See Why does BCrypt.net GenerateSalt(31) return straight away? for something related. :-)

相关文章