11

I have a question about understanding sha512-crypt hashing. I found this tutorial to set up dovecot and postfix with mysql. I followed the tutorial (with slight modifications) and everything works fine. But there is one thing, that I do not understand:

To add a user, I should use:

INSERT INTO `mailserver`.`virtual_users`
  (`id`, `domain_id`, `password` , `email`)
VALUES
  ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))),    'email1@example.com'),
  ('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');

and again, this works perfectly fine, i.e. I can log in with my password (and only my password) to dovecot. But why? If I see it right, it encrypts the password with a random salt, but it doesn't save it anywhere. So hashing the same password twice gives me 2 different hashes (I tried it). So my question boils down to: Could I get a brief explanation of sha-512 (which I couldn't find online) and and explanation as to why these lines work?

Thanks already

4

1 回答 1

14

盐被保存为密码的一部分。例如调用:

ENCRYPT('firstpassword', CONCAT('$6$', 'FooBarBaz'))

$6$FooBarBaz$.TG7FRJqZ6N2FF7b3BEkr5j37CWhwgvPOOoccrr0bvkBbNMmLCxzqQqKJbNhnhC.583dTBLEuZcDuQe7NEe。

这存储了使用的算法(6 是 SHA512)和盐('FooBarBaz')都由$.

编辑:要检查密码,您可以使用:

password = ENCRYPT('user_input', `password`)

ENCRYPT将从存储的密码中获取盐并在检查时使用它user_input

他在此答案中详细说明的密码检查完全归功于 hek2mgl 。

于 2014-06-12T14:03:19.807 回答