无法验证现有密码哈希与 Ruby BCrypt。

huangapple go评论70阅读模式
英文:

Failing to verify existing password hashes with ruby BCrypt

问题

我目前遇到的问题是尝试在Ruby on Rails上针对现有数据库中的现有密码哈希实现身份验证。我确实有几个现有的明文密码可用,因此我知道一些明文/哈希对以验证该过程。

密码存储为$2a$12$xxxxyyyy,因此我会假设它们是使用BCrypt算法进行哈希处理的(我可以安全地假设吗?)。当我尝试运行以下代码时:

password = ::BCrypt::Password.new("$2a$12$xxxxyyyy")
verify = password == "known_plaintext_password"

我总是得到验证的结果为false。当我尝试使用相同的盐与原始密码手动生成哈希时,如下所示:

bcrypt = ::BCrypt::Password.new("$2a$12$xxxxyyyy")
::BCrypt::Engine.hash_secret("known_plaintext_password", bcrypt.salt)

结果实际上与原始哈希不同,尽管我期望哈希函数在使用相同的输入密码和盐时返回相同的哈希(再次,我可以安全地做出这种假设吗?)。

我不知道用于实现原始哈希处理的平台是什么,但我强烈怀疑它是在.NET中实现的。

在尝试验证密码时,我是否做错了什么?我个人期望在生成哈希之前对原始密码使用"pepper",我可以安全地做出这种假设吗,或者可能还有其他情况?不同的BCrypt算法实现之间是否存在可能的不兼容性?

英文:

I'm currently running into an issue trying to implement an authentication on Ruby on Rails against an existing database with existing password hashes. I do have a couple of existing plaintext passwords readily available, so I know a few plaintext/hash pairs to verify the process.

Passwords are stored as $2a$12$xxxxyyyy, so I would assume that they are hashed using the BCrypt algorithm (can I really safely assume that?). When I now try to run

password = ::BCrypt::Password.new("$2a$12$xxxxyyyy")
verify = password == "known_plaintext_password"

I always end up getting false for the verification. When I try to manually generate a hash using the same salt with the original password using

bcrypt = ::BCrypt::Password.new("$2a$12$xxxxyyyy")
::BCrypt::Engine.hash_secret("known_plaintext_password", bcrypt.salt)

the result actually differs from the original hash, though I would expect the hash function to return the same hash when called with the same input password and salt (again, can I safely make this assumption?).

I do not know which platform was used to implement the original hashing process, but I strongly suspect it to be implemented in .NET.

Am I doing something wrong here when trying to verify the password? I personaly would expect a pepper to be used on the original password before generating the hash, can I safely take this assumption, or might there be anything else going on? Are there possible incompatibilities between different implementations of the BCrypt algorith?

答案1

得分: 0

由于这里没有真正的答案,而我在此期间找到了解决方案,因此我将添加自己的答案供参考,如果其他人遇到相同的问题...

的确,密码是使用“pepper”(或您喜欢的“秘密盐”)进行哈希处理的。幸运的是,我能够获取到使用的秘密,将其添加为设备模型身份验证的参数后,可以对遗留数据进行身份验证。

英文:

Since there has been no real answer here, and I figured out the solution in the meantime I will add my own answer for reference if anyone else encounters the same problem...

It was indeed the case that the passwords were hashed using a pepper (or secret salt, if you prefer that terminology). Fortunately I was able to get the secret used, and after adding it as a parameter in the devise model authentication against the legacy data was working.

huangapple
  • 本文由 发表于 2023年3月1日 09:23:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/75598796.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定