英文:
What would be the best way to implement SHA512 into my code?
问题
我需要将密码存储在SQL数据库中,将其以明文存储是不安全的。出于各种原因,我选择了在存储之前使用SHA512哈希密码。但是,我实在无法找到如何使用从用户输入获取的Secure字符串,并使用SHA512哈希它(这也意味着我还没有能够研究如何加盐)。
我在网上看到可以调用SHA512的新实例,但必须进行管理(?),但当我尝试时,它显示已经过时。更深入查看,明智的互联网建议使用SHA512的create方法... 这也已经过时。
如何对Secure字符串进行哈希和加盐的任何帮助都将非常有帮助。
英文:
So I need to store passwords in a SQL database and it would be insecure to store them in plain text. For a variety of reasons, I chose SHA512 to hash the passwords prior to storage. I, for the life of me, can not identify how to take data from a Secure string gained from user input, and hash it using SHA512 (which also means I haven't been able to look into salting it either).
I have seen online that you call a new instance of SHA512 but that it has to be managed (?) but when I try it shows that it is obsolete. Looking further, the wise internet suggested the create method of SHA512... which is also obsolete.
Any help into how I can hash and salt a secure string would be great.
答案1
得分: 1
以下是代码示例的翻译部分:
这是一个使用SHA512和随机盐的基本哈希和盐方法,将盐添加到哈希之前。
private static string HashAndSalt(string plaintext)
{
var chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
using var hasher = SHA512.Create();
var random = new Random();
var ciphertextBytes = hasher.ComputeHash(Encoding.UTF8.GetBytes(plaintext));
var ciphertextB64 = Convert.ToBase64String(ciphertextBytes);
var salt = new string(Enumerable.Repeat(chars, 8).Select(s => s[random.Next(s.Length)]).ToArray());
var ciphertext = salt + ':' + ciphertextB64;
return ciphertext;
}
你需要将你的`SecureString`转换为普通的`string`。使用`SecureString`已经过时,不应再使用。正如评论中提到的,你应该考虑使用专用的密码哈希算法,如:
- PBKDF2
- Argon2
- Bcrypt
- Scrypt
以下是使用`Bcrypt` 的示例 - 它并不太复杂。
首先,获取这个NuGet包:`BCrypt.Net-Next`
private static string BcryptHash(string plaintext)
{
var ciphertext = BCrypt.Net.BCrypt.HashPassword(plaintext, 12);
return ciphertext;
}
但是,你不能像SHA512一样在用户尝试进行身份验证时比较哈希值。你需要使用Bcrypt的'Verify'函数。
private static bool BcryptVerify(string plaintext)
{
return BCrypt.Net.BCrypt.Verify(plaintext, hashedPassword);
}
其中,plaintext是你从用户输入中收到的“plaintext”密码,hashedPassword是你从存储初始ciphertext的数据库中检索到的哈希值。
希望这有所帮助。
<details>
<summary>英文:</summary>
Here is a basic hash and salt method using SHA512 and a random salt prepended to the hash.
private static string HashAndSalt(string plaintext)
{
var chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
using var hasher = SHA512.Create();
var random = new Random();
var ciphertextBytes = hasher.ComputeHash(Encoding.UTF8.GetBytes(plaintext));
var ciphertextB64 = Convert.ToBase64String(ciphertextBytes);
var salt = new string(Enumerable.Repeat(chars, 8).Select(s => s[random.Next(s.Length)]).ToArray());
var ciphertext = salt + ':' + ciphertextB64;
return ciphertext;
}
You will need to convert your `SecureString` to a normal `string`. Using a `SecureString` is obsolete and should not be used anymore. As the comments mentioned you should look into a dedicated password hashing algorithm such as:
- PBKDF2
- Argon2
- Bcrypt
- Scrypt
Here is an example using `Bcrypt` - it is not too complicated.
First, grab this NuGet package: `BCrypt.Net-Next`
private static string BcryptHash(string plaintext)
{
var ciphertext = BCrypt.Net.BCrypt.HashPassword(plaintext, 12);
return ciphertext;
}
You can't however compare the hashes when a user tries to authenticate as you can with SHA512. You need to use Bcrypts 'Verify' function.
private static bool BcryptVerify(string plaintext)
{
return BCrypt.Net.BCrypt.Verify(plaintext, hashedPassword);
}
Where the plaintext is the `plaintext` password you receive from user input and the `hashedPassword` being the hash you retrieved from the database where the initial ciphertext was stored.
Hope this helps.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论