ASP.NET Identity的默认密码哈希 - 它是如何工作的并且是否安全？

Question

ASP.NET Identity的默认密码哈希 - 它是如何工作的并且是否安全？

And*_*ock 148 c# asp.net security passwords asp.net-identity

我想知道在MVC 5和ASP.NET Identity Framework附带的UserManager中默认实现的Password Hasher是否足够安全？如果是这样,如果你可以向我解释它是如何工作的？

IPasswordHasher界面如下所示:

public interface IPasswordHasher
{
    string HashPassword(string password);
    PasswordVerificationResult VerifyHashedPassword(string hashedPassword, 
                                                       string providedPassword);
}

Run Code Online (Sandbox Code Playgroud)

正如你所看到的,它不需要盐,但在这个帖子中提到:" Asp.net身份密码哈希 ",它确实在幕后加盐.所以我想知道它是如何做到的？这盐来自何处？

我担心的是盐是静态的,使它非常不安全.

Answer 1

And*_*ykh 208

以下是默认实现的工作原理.它使用随机盐的密钥派生函数来生成哈希.盐被列为KDF产出的一部分.因此,每次"哈希"相同的密码时,您将获得不同的哈希值.为了验证散列,输出被拆分回salt和其余部分,并且KDF再次运行在具有指定salt的密码上.如果结果与初始输出的其余部分匹配,则验证散列.

哈希:

public static string HashPassword(string password)
{
    byte[] salt;
    byte[] buffer2;
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }
    using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, 0x10, 0x3e8))
    {
        salt = bytes.Salt;
        buffer2 = bytes.GetBytes(0x20);
    }
    byte[] dst = new byte[0x31];
    Buffer.BlockCopy(salt, 0, dst, 1, 0x10);
    Buffer.BlockCopy(buffer2, 0, dst, 0x11, 0x20);
    return Convert.ToBase64String(dst);
}

Run Code Online (Sandbox Code Playgroud)

验证:

public static bool VerifyHashedPassword(string hashedPassword, string password)
{
    byte[] buffer4;
    if (hashedPassword == null)
    {
        return false;
    }
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }
    byte[] src = Convert.FromBase64String(hashedPassword);
    if ((src.Length != 0x31) || (src[0] != 0))
    {
        return false;
    }
    byte[] dst = new byte[0x10];
    Buffer.BlockCopy(src, 1, dst, 0, 0x10);
    byte[] buffer3 = new byte[0x20];
    Buffer.BlockCopy(src, 0x11, buffer3, 0, 0x20);
    using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, dst, 0x3e8))
    {
        buffer4 = bytes.GetBytes(0x20);
    }
    return ByteArraysEqual(buffer3, buffer4);
}

Run Code Online (Sandbox Code Playgroud)

@AndréSnedeHansen,确切地说.而且我也建议您在安全性或加密SE上询问.在这些相应的环境中,可以更好地解决"它是安全的"部分. (8认同)
所以,如果我理解正确,那么`HashPassword`函数会在同一个字符串中返回？当你验证它时,它会再次将它再次拆分,并使用分割中的盐来哈希传入的明文密码,并将其与原始哈希值进行比较？ (5认同)
感谢您的解释,现在我可以安静地睡觉:)! (3认同)
@AndrewSavinykh我知道,这就是我问的原因 - 重点是什么？为了使代码看起来更聪明？;)我使用十进制数计数东西的原因是更直观的(毕竟我们有10个手指 - 至少我们大多数人),所以使用十六进制来声明一些东西似乎是一个不必要的代码混淆. (3认同)
@MihaiAlexandru-Ionut `var hashedPassword = HashPassword(password); var result = verifyHashedPassword(hashedPassword, password);` - 是您需要做的。之后 `result` 包含 true。 (2认同)

Answer 2

Kne*_*lis 39

因为ASP.NET是开源的,你可以在GitHub上找到它: AspNet.Identity 3.0和AspNet.Identity 2.0.

来自评论:

/* =======================
 * HASHED PASSWORD FORMATS
 * =======================
 * 
 * Version 2:
 * PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
 * (See also: SDL crypto guidelines v5.1, Part III)
 * Format: { 0x00, salt, subkey }
 *
 * Version 3:
 * PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.
 * Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey }
 * (All UInt32s are stored big-endian.)
 */

Run Code Online (Sandbox Code Playgroud)

现在可以在 https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Extensions.Core/src/PasswordHasher.cs 下找到最新的实现。他们存档了另一个存储库；） (2认同)

Answer 3

Nat*_*ass 30

我理解接受的答案,并且已经投了票,但我认为我会在这里抛弃我的外行答案......

创建哈希

使用函数Rfc2898DeriveBytes随机生成盐 ,生成散列和盐.Rfc2898DeriveBytes的输入是密码,要生成的salt的大小以及要执行的散列迭代次数. https://msdn.microsoft.com/en-us/library/h83s4e12(v=vs.110).aspx
然后将盐和散列混合在一起(盐首先跟随散列)并编码为字符串(因此salt在散列中编码).然后将该编码的散列(其包含盐和散列)存储(通常)在用户的数据库中.

根据哈希检查密码

检查用户输入的密码.

从存储的哈希密码中提取盐.
salt用于使用Rfc2898DeriveBytes的重载来散列用户输入密码,该过载使用salt而不是生成一个.https://msdn.microsoft.com/en-us/library/yx129kfs(v=vs.110).aspx
然后比较存储的散列和测试散列.

哈希

在封面下,使用SHA1哈希函数(https://en.wikipedia.org/wiki/SHA-1)生成哈希.该函数迭代调用1000次(在默认的Identity实现中)

为什么这是安全的

随机盐意味着攻击者无法使用预先生成的哈希表来尝试破解密码.他们需要为每个盐生成一个哈希表.(这里假设黑客也泄露了你的盐)
如果2个密码相同,则它们将具有不同的哈希值.(意思是攻击者无法推断'常见'密码)
迭代地调用SHA1 1000次意味着攻击者也需要这样做.这个想法是,除非他们在超级计算机上有时间,否则他们将没有足够的资源来强制从哈希中强制输入密码.它会大大减慢为给定盐生成哈希表的时间.

@NSouth 唯一的盐使给定密码的哈希值是唯一的。所以两个相同的密码会有不同的哈希值。访问你的哈希和盐仍然不会让攻击者记住你的密码。散列是不可逆的。他们仍然需要通过每个可能的密码进行暴力破解。唯一的salt 只是意味着黑客无法通过对特定散列进行频率分析来推断出通用密码，如果他们已经设法掌握了您的整个用户表。 (2认同)

Answer 4

kfr*_*sty 8

对于像我这样全新的人来说,这里是带有const的代码和比较byte []的实际方法.我从stackoverflow获得了所有这些代码,但定义了consts,因此可以更改值

// 24 = 192 bits
    private const int SaltByteSize = 24;
    private const int HashByteSize = 24;
    private const int HasingIterationsCount = 10101;


    public static string HashPassword(string password)
    {
        // http://stackoverflow.com/questions/19957176/asp-net-identity-password-hashing

        byte[] salt;
        byte[] buffer2;
        if (password == null)
        {
            throw new ArgumentNullException("password");
        }
        using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, SaltByteSize, HasingIterationsCount))
        {
            salt = bytes.Salt;
            buffer2 = bytes.GetBytes(HashByteSize);
        }
        byte[] dst = new byte[(SaltByteSize + HashByteSize) + 1];
        Buffer.BlockCopy(salt, 0, dst, 1, SaltByteSize);
        Buffer.BlockCopy(buffer2, 0, dst, SaltByteSize + 1, HashByteSize);
        return Convert.ToBase64String(dst);
    }

    public static bool VerifyHashedPassword(string hashedPassword, string password)
    {
        byte[] _passwordHashBytes;

        int _arrayLen = (SaltByteSize + HashByteSize) + 1;

        if (hashedPassword == null)
        {
            return false;
        }

        if (password == null)
        {
            throw new ArgumentNullException("password");
        }

        byte[] src = Convert.FromBase64String(hashedPassword);

        if ((src.Length != _arrayLen) || (src[0] != 0))
        {
            return false;
        }

        byte[] _currentSaltBytes = new byte[SaltByteSize];
        Buffer.BlockCopy(src, 1, _currentSaltBytes, 0, SaltByteSize);

        byte[] _currentHashBytes = new byte[HashByteSize];
        Buffer.BlockCopy(src, SaltByteSize + 1, _currentHashBytes, 0, HashByteSize);

        using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, _currentSaltBytes, HasingIterationsCount))
        {
            _passwordHashBytes = bytes.GetBytes(SaltByteSize);
        }

        return AreHashesEqual(_currentHashBytes, _passwordHashBytes);

    }

    private static bool AreHashesEqual(byte[] firstHash, byte[] secondHash)
    {
        int _minHashLength = firstHash.Length <= secondHash.Length ? firstHash.Length : secondHash.Length;
        var xor = firstHash.Length ^ secondHash.Length;
        for (int i = 0; i < _minHashLength; i++)
            xor |= firstHash[i] ^ secondHash[i];
        return 0 == xor;
    }

Run Code Online (Sandbox Code Playgroud)

在自定义ApplicationUserManager中,将PasswordHasher属性设置为包含上述代码的类的名称.

Answer 5

M K*_*aei 5

我基于.net6 PasswordHasher文档最新版本（V3）编写我的类PasswordHasher https://github.com/dotnet/aspnetcore/blob/b56bb17db3ae73ce5a8664a2023a9b9af89499dd/src/Identity/Extensions.Core/src/PasswordHasher.cs

namespace Utilities;

public class PasswordHasher
{
    public const int Pbkdf2Iterations = 1000;


    public static string HashPasswordV3(string password)
    {
        return Convert.ToBase64String(HashPasswordV3(password, RandomNumberGenerator.Create()
            , prf: KeyDerivationPrf.HMACSHA512, iterCount: Pbkdf2Iterations, saltSize: 128 / 8
            , numBytesRequested: 256 / 8));
    }


    public static bool VerifyHashedPasswordV3(string hashedPasswordStr, string password)
    {
        byte[] hashedPassword = Convert.FromBase64String(hashedPasswordStr);
        var iterCount = default(int);
        var prf = default(KeyDerivationPrf);

        try
        {
            // Read header information
            prf = (KeyDerivationPrf)ReadNetworkByteOrder(hashedPassword, 1);
            iterCount = (int)ReadNetworkByteOrder(hashedPassword, 5);
            int saltLength = (int)ReadNetworkByteOrder(hashedPassword, 9);

            // Read the salt: must be >= 128 bits
            if (saltLength < 128 / 8)
            {
                return false;
            }
            byte[] salt = new byte[saltLength];
            Buffer.BlockCopy(hashedPassword, 13, salt, 0, salt.Length);

            // Read the subkey (the rest of the payload): must be >= 128 bits
            int subkeyLength = hashedPassword.Length - 13 - salt.Length;
            if (subkeyLength < 128 / 8)
            {
                return false;
            }
            byte[] expectedSubkey = new byte[subkeyLength];
            Buffer.BlockCopy(hashedPassword, 13 + salt.Length, expectedSubkey, 0, expectedSubkey.Length);

            // Hash the incoming password and verify it
            byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, prf, iterCount, subkeyLength);
#if NETSTANDARD2_0 || NETFRAMEWORK
            return ByteArraysEqual(actualSubkey, expectedSubkey);
#elif NETCOREAPP
            return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey);
#else
#error Update target frameworks
#endif
        }
        catch
        {
            // This should never occur except in the case of a malformed payload, where
            // we might go off the end of the array. Regardless, a malformed payload
            // implies verification failed.
            return false;
        }
    }


    // privates
    private static byte[] HashPasswordV3(string password, RandomNumberGenerator rng, KeyDerivationPrf prf, int iterCount, int saltSize, int numBytesRequested)
    {
        byte[] salt = new byte[saltSize];
        rng.GetBytes(salt);
        byte[] subkey = KeyDerivation.Pbkdf2(password, salt, prf, iterCount, numBytesRequested);
        var outputBytes = new byte[13 + salt.Length + subkey.Length];
        outputBytes[0] = 0x01; // format marker
        WriteNetworkByteOrder(outputBytes, 1, (uint)prf);
        WriteNetworkByteOrder(outputBytes, 5, (uint)iterCount);
        WriteNetworkByteOrder(outputBytes, 9, (uint)saltSize);
        Buffer.BlockCopy(salt, 0, outputBytes, 13, salt.Length);
        Buffer.BlockCopy(subkey, 0, outputBytes, 13 + saltSize, subkey.Length);
        return outputBytes;
    }

    private static void WriteNetworkByteOrder(byte[] buffer, int offset, uint value)
    {
        buffer[offset + 0] = (byte)(value >> 24);
        buffer[offset + 1] = (byte)(value >> 16);
        buffer[offset + 2] = (byte)(value >> 8);
        buffer[offset + 3] = (byte)(value >> 0);
    }

    private static uint ReadNetworkByteOrder(byte[] buffer, int offset)
    {
        return ((uint)(buffer[offset + 0]) << 24)
            | ((uint)(buffer[offset + 1]) << 16)
            | ((uint)(buffer[offset + 2]) << 8)
            | ((uint)(buffer[offset + 3]));
    }

}

Run Code Online (Sandbox Code Playgroud)

在 UserController 中使用：

namespace WebApi.Controllers.UserController;

[Route("api/[controller]/[action]")]
[ApiController]
public class UserController : ControllerBase
{
    private readonly IUserService _userService;
    public UserController(IUserService userService)
    {
        _userService = userService;
    }


[HttpPost]
public async Task<IActionResult> Register(VmRegister model)
{
    var user = new User
    {
        UserName = model.UserName,
        PasswordHash = PasswordHasher.HashPasswordV3(model.Password),
        FirstName = model.FirstName,
        LastName = model.LastName,
        Mobile = model.Mobile,
        Email = model.Email,
    };
    await _userService.Add(user);
    return StatusCode(201, user.Id);
}


[HttpPost]
public async Task<IActionResult> Login(VmLogin model)
{
    var user = await _userService.GetByUserName(model.UserName);

    if (user is null || !PasswordHasher.VerifyHashedPasswordV3(user.PasswordHash, model.Password))
        throw new Exception("The UserName or Password is wrong.");
    // generate token
    return Ok();
}

Run Code Online (Sandbox Code Playgroud)

}

https://github.com/mammadkoma/WebApi/tree/master/WebApi

归档时间：	11 年，8 月前
查看次数：	108506 次
最近记录：	5 年，11 月前