存储 crypto/rand 生成的字符串问题

huangapple go评论77阅读模式
英文:

Storing crypto/rand generated string issues

问题

所以,我有以下的go文件作为我的项目的一部分,用于对密码进行哈希处理,我还编写了一些测试,据我所知,这些测试还没有失败过。

目前的问题是,我正在尝试将密码和盐以字符串的形式存储在某个数据库中,每次从数据库中检索它们以与另一个字符串进行比较时,我始终收到来自golang的bcrypt包的图片中的消息。我编写的测试运行良好,并产生了适当的效果。我本可以提供一个go playground的链接,但bcrypt包是标准库的一部分。

我知道crypto/rand生成的无意义数据在初始外观上几乎相同,但我不确定数据库上是否有任何变化。我正在使用redis。

编辑:根据@3of3的要求,我在我的项目中包含了DAO代码。此外,bcrypt的解决方案在这段代码中起作用,但正如我在评论中所述,我打算遵循Mozilla的指南。

存储 crypto/rand 生成的字符串问题

英文:

So I have the following go file(s) as part of my project to be used for hashing passwords, I also wrote some tests that to my knowledge have yet to fail.

Currently the issue is that I am trying to store the password and salt in some database as strings, and every time I retrieve them to be compared against a another string I keep getting the message in the picture from golang's bcrypt package. The tests I wrote are running fine and produce the appropriate effect. I would have supplied a go playground link but bcrypt package is part of the standard library.

I know the gibberish from crypto/rand is pretty much the same from the initial look but I am not sure if there is anything being changed on the database. I am using redis fyi.

Edit: based on the request of @3of3, I am including the DAO code from my project. Also the bcrypt only solution worked with this code but as I stated in the comments, I am aiming to stick to Mozilla's guide.

存储 crypto/rand 生成的字符串问题

答案1

得分: 1

似乎你忘记了生成的哈希值是十六进制编码的,因此当将 []byte 变量转换为字符串时,你会得到一些奇怪的东西。使用 hex 包,你可以创建你想要的实际字符串:

hex.EncodeToString(hash)
英文:

It seems you forgot that the generated hashes are hex encoded, thus when casting the []byte variable to a string you'll get something weird. Using the hex package you can create the actual string you want:

hex.EncodeToString(hash)

答案2

得分: 1

盐值无法通过JSON编码/解码进行往返,因为盐值不是有效的UTF8编码。

有几种方法可以解决这个问题:

  • 在哈希器中使用十六进制或Base64编码/解码盐值。
  • 在整个代码中使用[]byte类型来表示盐值。JSON编码器会使用Base64编码来编码[]byte值。
  • 使用gob编码器而不是JSON编码器。

Mozilla建议将额外的盐值与bcrypt密码分开存储。如果将额外的盐值与bcrypt密码一起存储,那么系统的安全性不会比仅使用bcrypt更高。

要对盐值进行十六进制编码,将以下代码:

return string(p), string(salt), nil

修改为:

return string(p), hex.EncodeToString(salt), nil

并将以下代码:

s := []byte(salt)

修改为:

s, err := hex.DecodeString(salt)
if err != nil {
   return err
}
英文:

The salt does not roundtrip through the JSON encode / decode because the salt is not valid UTF8.

There are a few ways to fix the problem:

  • Hex or base64 encode / decode the salt in hasher.
  • Use the []byte type for salt throughout the code. The JSON encoder encodes []byte values using base64.
  • Use the gob encoder instead of the JSON encoder.

Mozilla recommends storing the extra salt separate from the bcrypted password. By storing the extra salt with the bcrypted password, the system is no more secure than using bcrypt alone.

To hex encode the salt, change

return string(p), string(salt), nil

to

return string(p), hex.EncodeToString(salt), nil

and change

 	s := []byte(salt)

to

    s, err := hex.DecodeString(salt)
    if err != nil {
       return err
    }

huangapple
  • 本文由 发表于 2015年1月18日 04:42:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/28004103.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定