-10

d5在比较两个加密密码时,会在字符串中添加一个额外的位。

我们使用 sha512 +salt 对密码进行加密,然后将其与数据库中存储的 sha512+salt 值进行比较。

但我们得到一个密码不匹配。当我们检查日志时,我们d5在 append 中看到了一个额外的东西,它不存在于 salt 中。

这是使用控制台时的输出。

project restful running in port 8000
Value stored in database:

6b5fff62ffe04a51(salt)

(Sha512+salt) appended value
9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735


{ salt: '6b5fff62ffe04a51',(salt)
  passwordhash:(sha512+salt appended value)

'9c01b4079a2d3e24b20ea9d447178f7d68ad41b2b09428d28d822e790d4534c085de326eee7d124ae42781960ba81dc4e37710ac14fd435fede650d0b75735d5' }

d5当我们附加它时会出现一个额外的东西,这会导致错误。

/*
 creating a restfull service
*/

var crypto = require('crypto');
var uuid = require('uuid');
var express = require('express');
var mysql = require('mysql');
var bodyparser = require('body-parser');

//connect to my sql

var con = mysql.createConnection({
    host:"localhost",
    user:"root",
    password:'',
    database:"e-shopiee",
});

//creating password encryption

var genrandomstring = function(length) {
    return crypto.randomBytes(Math.ceil(length/2))
        .toString('hex')
        .slice(0,length);
};

//securing with sha512

var sha512 = function (password, salt) {
    var hash = crypto.createHmac('sha512', salt);
    hash.update(password);
    var value = hash.digest('hex');
    return {
        salt:salt,
        passwordhash:value
    };
};

//get random string to salt

function salthashpassword(userPassword){
    var salt = genrandomstring(16);
    var passwordData = sha512(userPassword, salt);
    return passwordData;
}

//user password generating hashed password

function checkHashpassword(userPassword, salt) {

   var passwordData = sha512(userPassword, salt);
    return passwordData;
}


//accept json params
var app=express();
app.use(bodyparser.json());
//accept encoded url params
app.use(bodyparser.urlencoded({extended : true}));

app.post('/register/',(req,res,next)=>{

    //get post params
    var post_data = req.body;
    //get uuid v4
    var uid = uuid.v4();
    //get password from parms
    var plain_password = post_data.password;
    //get hash parms
    var hash_data = salthashpassword(plain_password);
    var password = hash_data.passwordhash;
    var salt = hash_data.salt;

    var name = post_data.name;
    var email = post_data.email;

    con.query('SELECT * FROM users where email =?',[email],function (err,result,fields) {
        con.on('error',function (err) {
            console.log('[MySQL ERROR]',err);
        });
        if (result && result.length)
            res.json('user already exist');
        else {
            con.query('INSERT INTO `users`( `unique_id`, `name`, `email`, `password`, `salt`, `created_at`, `updated_at`) ' +
                'VALUES (?,?,?,?,?,NOW(),NOW())',[uid,name,email,password,salt],function (err,result,fields) {
                con.on('error',function (err) {
                    console.log('[MySQL ERROR]', err);
                    res.json('Register error: ',err);
                });
                res.json('Register successful');
                console.log(password);
            })
        }
    });
})

app.post('/login/',(req,res,next)=>{

    var post_data =  req.body;

    //extract email and password from reqst
    var user_password = post_data.password;
    var email = post_data.email;

    con.query('SELECT * FROM users where email=?',[email],function (error,result,fields){

        con.on('error',function (err) {
            console.log('[MySQL ERROR]',err);
        });

        if (result && result.length){

            //get salt of result if account exist
            var salt = result[0].salt;
            console.log(salt);
            var password = result[0].password;
            //hashed password from login req
            var  hashed_password = checkHashpassword(user_password,salt).passwordhash;

            console.log(password);
            console.log(hashed_password);

            //if password true return all info
            if(password == hashed_password)
                res.end(JSON.stringify(result[0]))
            else
                res.end(JSON.stringify('Wrong password'));
        }

        else {
            res.json('user not exist');
        }
    });
})
//starting services
app.listen(8000,()=>{
    console.log('project restful running in port 8000');

})
4

1 回答 1

3

您不能用盐解密 sha512。那 (sha512)不是可逆变换1使它对彩虹表“免疫” 2

1 为什么哈希函数是一种方式?如果我知道算法,为什么我不能从中计算输入?
2 密码盐如何帮助抵御彩虹表攻击?

于 2019-02-04T05:11:39.460 回答