This is the encryption I have when people register on my site:
这是人们在我的网站上注册时的加密:
$salt = generateSalt();
$hashedPassword = crypt($userPass, $salt);
and here is my generateSalt function:
这是我的generateSalt函数:
function generateSalt() {
$salt = uniqid(mt_rand(), true);
$salt = '$1$' . $salt;
return $salt;
}
When I encrypt a password with this I get for example:
当我用这个加密密码时,我得到了例如:
$1$92999442$AK4yZPjnj6BKc9yj4CXKu1
But when I crypt the same password on C# with this function:
但是当我使用此函数在C#上加密相同的密码时:
hashedPassword = GenerateMD5(uName, salt);
GenerateMD5 function:
public String GenerateMD5(String input, String salt)
{
Byte[] bytes = System.Text.Encoding.UTF8.GetBytes(input + salt);
System.Security.Cryptography.MD5Cng md5hashstring = new System.Security.Cryptography.MD5Cng();
byte[] hash = md5hashstring.ComputeHash(bytes);
string hex = BitConverter.ToString(hash).Replace("-", string.Empty);
return hex;
}
I get a complete different output. With the same password and the same salt I get this output:
我得到一个完全不同的输出。使用相同的密码和相同的盐我得到这个输出:
9DE11D48C3F7DF1BF89FC76D755A2596
What function should I use in PHP and C# to get the same output?
我应该在PHP和C#中使用什么函数来获得相同的输出?
4 个解决方案
#1
Because you're using two completely different algorithms. In PHP you're using crypt() which uses DES, and in C# you're using MD5. They're never going to produce the same output. If you want the same output, you should use md5() in PHP instead of crypt()
因为你使用两种完全不同的算法。在PHP中,您使用的是使用DES的crypt(),而在C#中,您使用的是MD5。他们永远不会产生相同的输出。如果你想要相同的输出,你应该在PHP中使用md5()而不是crypt()
Also, don't use MD5, it's deprecated. You should be using at least SHA-2 now
此外,不要使用MD5,它已被弃用。你现在应该至少使用SHA-2
#2
and adding a random salt to your input is part of them problem. you'll end up with a different input every time, hence a different hash output.
并在输入中添加随机盐是其中一部分问题。你每次都会得到不同的输入,因此有不同的哈希输出。
#3
If I were you I'd consider using password_hash instead. Does all that crypt work for you in a nice, neat package, complete with random salt.
如果我是你,我会考虑使用password_hash。所有的密码都可以在一个漂亮,整洁的包中为您服务,并配有随机盐。
As to why your function doesn't match, you're using MD5 in your C# code. I'm no expert in C# but you should use some sort of bcrypt hashing system. There is an open source bcrypt for C# that might do the trick for you. In theory, since they use the same system, one should be able to validate the other since they all store the salt in the string. Just pluck the salt from the string and plug the password and salt into the other one and they should match.
至于为什么你的函数不匹配,你在C#代码中使用MD5。我不是C#的专家,但你应该使用某种bcrypt哈希系统。有一个C#的开源bcrypt可能会为你做这个技巧。理论上,由于它们使用相同的系统,因此它们应该能够验证另一个系统,因为它们都将盐存储在字符串中。只需从字符串中取出盐,然后将密码和盐插入另一个,它们就应该匹配。
#4
This is so called md5crypt by Poul-Henning Kamp, not to be confused with MD5. Md5crypt for first used to protect FreeBSD passwords from bruteforce, but then became more widespread. It was incorporated into GNU libc crypt() and many programs had interfaces to this system call, including PHP, and some PHP developers made use of it. Md5crypt invokes MD5 no less than 1000 times to make brute-force harder (but nowadays md5crypt is considered outdated by its author!). I have seen implementation of md5crypt for many programming languages, this one is for C#.
这就是Poul-Henning Kamp所谓的md5crypt,不要与MD5混淆。 Md5crypt首先用于保护FreeBSD密码免受强力攻击,但后来变得更加普遍。它被整合到GNU libc crypt()中,许多程序都有这个系统调用的接口,包括PHP,还有一些PHP开发人员使用它。 Md5crypt调用MD5不少于1000次使蛮力更难(但现在md5crypt被其作者认为已经过时了!)。我见过很多编程语言的md5crypt实现,这个是C#。
#1
Because you're using two completely different algorithms. In PHP you're using crypt() which uses DES, and in C# you're using MD5. They're never going to produce the same output. If you want the same output, you should use md5() in PHP instead of crypt()
因为你使用两种完全不同的算法。在PHP中,您使用的是使用DES的crypt(),而在C#中,您使用的是MD5。他们永远不会产生相同的输出。如果你想要相同的输出,你应该在PHP中使用md5()而不是crypt()
Also, don't use MD5, it's deprecated. You should be using at least SHA-2 now
此外,不要使用MD5,它已被弃用。你现在应该至少使用SHA-2
#2
and adding a random salt to your input is part of them problem. you'll end up with a different input every time, hence a different hash output.
并在输入中添加随机盐是其中一部分问题。你每次都会得到不同的输入,因此有不同的哈希输出。
#3
If I were you I'd consider using password_hash instead. Does all that crypt work for you in a nice, neat package, complete with random salt.
如果我是你,我会考虑使用password_hash。所有的密码都可以在一个漂亮,整洁的包中为您服务,并配有随机盐。
As to why your function doesn't match, you're using MD5 in your C# code. I'm no expert in C# but you should use some sort of bcrypt hashing system. There is an open source bcrypt for C# that might do the trick for you. In theory, since they use the same system, one should be able to validate the other since they all store the salt in the string. Just pluck the salt from the string and plug the password and salt into the other one and they should match.
至于为什么你的函数不匹配,你在C#代码中使用MD5。我不是C#的专家,但你应该使用某种bcrypt哈希系统。有一个C#的开源bcrypt可能会为你做这个技巧。理论上,由于它们使用相同的系统,因此它们应该能够验证另一个系统,因为它们都将盐存储在字符串中。只需从字符串中取出盐,然后将密码和盐插入另一个,它们就应该匹配。
#4
This is so called md5crypt by Poul-Henning Kamp, not to be confused with MD5. Md5crypt for first used to protect FreeBSD passwords from bruteforce, but then became more widespread. It was incorporated into GNU libc crypt() and many programs had interfaces to this system call, including PHP, and some PHP developers made use of it. Md5crypt invokes MD5 no less than 1000 times to make brute-force harder (but nowadays md5crypt is considered outdated by its author!). I have seen implementation of md5crypt for many programming languages, this one is for C#.
这就是Poul-Henning Kamp所谓的md5crypt,不要与MD5混淆。 Md5crypt首先用于保护FreeBSD密码免受强力攻击,但后来变得更加普遍。它被整合到GNU libc crypt()中,许多程序都有这个系统调用的接口,包括PHP,还有一些PHP开发人员使用它。 Md5crypt调用MD5不少于1000次使蛮力更难(但现在md5crypt被其作者认为已经过时了!)。我见过很多编程语言的md5crypt实现,这个是C#。