I'm currently developing an Orchard CMS platform for one of our customers, a small club of about 400 members. After another customer recently had their website hacked and user data leaked (for the record: we didn't develop their website), we want to provide optimal security to our current and new clients. This does not mean the best security, we just want to make the site secure enough that whatever data can be found in the website isn't worth the effort the attacker has to do to get it. Since we only have a small member pool for this website, I doubt it's attractive to begin with, but considering the recent events, we can't be too sure.
我目前正在为我们的一个客户开发一个Orchard CMS平台,这是一个拥有约400名成员的小型俱乐部。在另一位客户最近他们的网站被黑了并且用户数据泄露后(记录:我们没有开发他们的网站),我们希望为我们当前和新客户提供最佳安全性。这并不意味着最好的安全性,我们只是想让网站足够安全,无论网站上找到什么数据都不值得攻击者为获得它而付出的努力。由于我们这个网站只有一个小会员池,我怀疑它的开头是否有吸引力,但考虑到最近的事件,我们不能太确定。
One of the subjects we're studying is password storage. We don't want to skimp on this because this is a vital part of security. I've read up on SHA512, BCrypt and other hashing algorithms, but it's hard to form a clear overview of all the different algorithms and methods found online. The information is spread out across different sources, some of which can be found on MSDN, but some of which can only be found hidden in blog posts and comments.
我们正在研究的主题之一是密码存储。我们不想吝啬这一点,因为这是安全的重要组成部分。我已经阅读了SHA512,BCrypt和其他哈希算法,但很难对在线发现的所有不同算法和方法形成清晰的概述。这些信息分布在不同的来源,其中一些可以在MSDN上找到,但其中一些只能在博客文章和评论中找到。
What algorithms for hashing and salthashing passwords and other sensitive data are currently viewed as the best? And which ones are to be avoided like the plague?
什么算法的哈希和salthashing密码和其他敏感数据目前被认为是最好的?哪些是像瘟疫一样要避免的?
1 个解决方案
#1
1
PBKDF2/RFC2898/PKCS#5v2, BCrypt, and SCrypt are the current "good" ways to store passwords. All other ways are bad as of early 2014.
PBKDF2 / RFC2898 / PKCS#5v2,BCrypt和SCrypt是当前存储密码的“好方法”。截至2014年初,所有其他方式都很糟糕。
Looking at Orchard SetPassword, it appears to be a single round of salted SHA-1. This is pitiful! See How to securely hash passwords? for the general treatise.
看看Orchard SetPassword,它似乎是一轮盐渍SHA-1。这太可怜了!请参阅如何安全地散列密码?一般论文。
In your case, if you want to stick with pure .NET, I would say use the Rfc2898DeriveBytes Class, which is a PBKDF2-HMAC-SHA-1 implementation, feed it a random per-user 16 byte salt generated by the RNGCryptoServiceProvider Class (the same class Orchard uses to generate its salt), and as many iterations as you can use expect to be just below a CPU bound server at maximum expected load - that number should be in the tens of thousands.
在你的情况下,如果你想坚持使用纯.NET,我会说使用Rfc2898DeriveBytes类,这是一个PBKDF2-HMAC-SHA-1实现,为RNGCryptoServiceProvider类生成一个随机的每用户16字节盐( Orchard使用相同的类生成它的盐,并且尽可能多的迭代期望在最大预期负载下低于CPU绑定服务器 - 该数量应该是数万。
Store the password hash, the plaintext (binary or hex string or Base64 string) salt, and the number of iterations in the database. The number of itersations should be stored so you can easily increase security later. If possible, also store a "Version" so that you can easily upgrade to a new algorithm later.
存储密码哈希,明文(二进制或十六进制字符串或Base64字符串)salt以及数据库中的迭代次数。应存储itersations的数量,以便您以后轻松提高安全性。如果可能,还要存储“版本”,以便以后可以轻松升级到新算法。
#1
1
PBKDF2/RFC2898/PKCS#5v2, BCrypt, and SCrypt are the current "good" ways to store passwords. All other ways are bad as of early 2014.
PBKDF2 / RFC2898 / PKCS#5v2,BCrypt和SCrypt是当前存储密码的“好方法”。截至2014年初,所有其他方式都很糟糕。
Looking at Orchard SetPassword, it appears to be a single round of salted SHA-1. This is pitiful! See How to securely hash passwords? for the general treatise.
看看Orchard SetPassword,它似乎是一轮盐渍SHA-1。这太可怜了!请参阅如何安全地散列密码?一般论文。
In your case, if you want to stick with pure .NET, I would say use the Rfc2898DeriveBytes Class, which is a PBKDF2-HMAC-SHA-1 implementation, feed it a random per-user 16 byte salt generated by the RNGCryptoServiceProvider Class (the same class Orchard uses to generate its salt), and as many iterations as you can use expect to be just below a CPU bound server at maximum expected load - that number should be in the tens of thousands.
在你的情况下,如果你想坚持使用纯.NET,我会说使用Rfc2898DeriveBytes类,这是一个PBKDF2-HMAC-SHA-1实现,为RNGCryptoServiceProvider类生成一个随机的每用户16字节盐( Orchard使用相同的类生成它的盐,并且尽可能多的迭代期望在最大预期负载下低于CPU绑定服务器 - 该数量应该是数万。
Store the password hash, the plaintext (binary or hex string or Base64 string) salt, and the number of iterations in the database. The number of itersations should be stored so you can easily increase security later. If possible, also store a "Version" so that you can easily upgrade to a new algorithm later.
存储密码哈希,明文(二进制或十六进制字符串或Base64字符串)salt以及数据库中的迭代次数。应存储itersations的数量,以便您以后轻松提高安全性。如果可能,还要存储“版本”,以便以后可以轻松升级到新算法。