为什么不在PHP中使用AES进行密码加密?

时间:2021-10-21 18:24:30

Everywhere I have seen people talking about storing passwords in a database, they have almost always used MD5.

我看到人们都在谈论将密码存储在数据库中,他们几乎总是使用MD5。

What is wrong with AES, or SHA1?

AES或SHA1有什么问题?

6 个解决方案

#1


36  

If you store a password encrypted, it can be decrypted. Since many people reuse passwords across many different systems, this is a bad thing. So you use a one-way function, a cryptographic hash function - this way a password can be verified without actually being revealed.

如果您存储加密的密码,则可以对其进行解密。由于许多人在许多不同的系统中重用密码,这是一件坏事。因此,您使用单向函数,加密哈希函数 - 这样就可以验证密码而无需实际显示。

As Greg commented, AES is an encryption/decryption algorithm. MD5 and the SHA family are hash functions, which are the more appropriate ones to use. But steer clear of MD5 nowadays - it's not really seen as secure enough any more. Xiaoyun Wang published an effective collision attack against it in 2005, and its strength is now seen as considerably below its design strength - thus in cryptographic terms it is "broken".

正如Greg评论的那样,AES是一种加密/解密算法。 MD5和SHA系列是哈希函数,它们更适合使用。但现在避开MD5 - 它已经不再那么安全了。王晓云于2005年发表了针对它的有效碰撞攻击,其强度现在远远低于其设计强度 - 因此在加密方面它被“打破”。

For best results, the standard is to salt and hash a password to store it - google these terms in tandem and you'll find numerous references.

为了获得最佳效果,标准是对密码进行加密和散列以存储密码 - 将这些条款串联起来,您会发现许多引用。

#2


6  

MD5 (Message-Digest algorithm 5) is a cryptographic hash function, while Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm, so they are used for different purposes. A hash, like MD5 or SHA is used to verify passwords because it's hard to invert, that is, to obtain the password from the hash-string. An AES encryption, on the other hand, is invertible, the original message can be obtained if you know the key. So, if multiple messages are encrypted with the same key, knowing it exposes all of them, whereas if you manage to find a hash's original string(rainbow tables, etc), you've only discovered the plain text for that particular instance, and you'll have to redo the work to find a sollution for another hash-string.

MD5(消息摘要算法5)是加密散列函数,而高级加密标准(AES)是对称密钥加密算法,因此它们用于不同目的。哈希(如MD5或SHA)用于验证密码,因为它很难反转,即从哈希字符串中获取密码。另一方面,AES加密是可逆的,如果您知道密钥,则可以获得原始消息。因此,如果多个消息使用相同的密钥加密,知道它会暴露所有消息,而如果您设法找到散列的原始字符串(彩虹表等),您只发现该特定实例的纯文本,并且你将不得不重做工作,找到另一个哈希字符串的sollution。

#3


4  

In short: AES is reversable. A hash function is not.

简而言之:AES是可逆的。哈希函数不是。

In response to the accepted answer... (sorry, I'm a new user, can't post comments yet...) Salting only prevents Rainbow Table based attacks. It does not protect "weak passwords". To protect the weaker passwords, you will need to use a hash function that has been proven to be slow. A properly configured bcrypt is the easiest way to do this. MD5 and SHA1 are too fast to be secure. (The collisions found with MD5 are unrelated to this problem I'm describing)

回答接受的答案......(对不起,我是新用户,还不能发表评论......)Salting只能阻止基于Rainbow Table的攻击。它不保护“弱密码”。为了保护较弱的密码,您需要使用已被证明很慢的哈希函数。正确配置的bcrypt是最简单的方法。 MD5和SHA1太快而不安全。 (与MD5发现的碰撞与我所描述的这个问题无关)

All 8-character passwords encrypted with MD5 or SHA1 (even when properly salted) can be cracked by this dude in a single day. Salting does NOT prevent this kind of attack. "Optimizing" the attack to consist of only the ~500k words in the english language... and the 10,000 most common variations of them will crack a huge number of passwords.

所有使用MD5或SHA1加密的8个字符的密码(即使正确腌制)都可以在一天之内被这个家伙破解。腌制不会阻止这种攻击。 “优化”攻击仅由英语中的~500k字组成......而其中10,000种最常见的变体将破解大量密码。

BCrypt is stronger against this kind of attack because it (can be configured to be) millions of times slower than MD5. Iteratively using MD5 a million times will theoretically achieve the same thing, but I suggest you stick with well tested libraries instead of rolling your own implementation. BCrypt uses Salting as well of course, and is available in most programming languages. So no reason to NOT use it.

BCrypt对这种攻击更强,因为它(可以配置为)比MD5慢几百万倍。迭代地使用MD5一百万次理论上会实现同样的目的,但我建议你坚持使用经过良好测试的库而不是滚动自己的实现。 BCrypt当然也使用Salting,并且在大多数编程语言中都可用。所以没有理由不使用它。

In theory, SCrypt is better, but its too new (and therefore, implementations are probably still a little buggy)

从理论上讲,SCrypt更好,但它太新了(因此,实现可能仍然有点小问题)

Long story short: SHA512 vs. Blowfish and Bcrypt

长话短说:SHA512与Blowfish和Bcrypt

#4


1  

Because AES encryption is symmetric. Given a password encrypted with AES and the key, you can decrypt the password. This is undesirable, because you almost always want only the owner of the password to know it and don't want to have an easy way to derive the password. The SHA and MD5 algorithms, on the other hand, perform a (mostly) one-way transformation of the password. There is no piece of information (key) that allows you to return the transformed password back to its plaintext form.

因为AES加密是对称的。给定使用AES和密钥加密的密码,您可以解密密码。这是不可取的,因为您几乎总是只想要密码的所有者知道它,并且不希望有一种简单的方法来获取密码。另一方面,SHA和MD5算法执行(大部分)密码的单向转换。没有任何信息(密钥)允许您将转换后的密码返回到其明文形式。

#5


1  

The use of AES as a symmetric cipher for passwords would be a volation of CWE-257 and there for a vulnerability. It is possible to use a symmetric cipher as a hash function. Old unix passwords use DES as a hash function and newer unix systems use blowfish as a hash function. But even though its a block cipher, its being used as a one-way function, which is a requirement for any password storage system.

使用AES作为密码的对称密码将是CWE-257的声音,并存在漏洞。可以使用对称密码作为散列函数。旧的unix密码使用DES作为哈希函数,而较新的unix系统使用blowfish作为哈希函数。但即使它是一个分组密码,它也被用作单向函数,这是任何密码存储系统的要求。

For php you should use sha256.

对于php你应该使用sha256。

#6


1  

The main reason why using symmetric (or asymmetric) encryption is not advisable for protecting passwords is: key management. When using encryption, you must protect the encryption key (or the entropies from which the key is derived). And protecting the key is a very difficult task to solve. Hashing (with SHA, MD5, or any other algorithm) solves the problem of key protection, because you don't need to keep any secret value (other than salt, but salt is significantly less sensitive than encryption key; you can store salt in plain text). So if you only keep passwords for authentication purposes (performed by your app), there is absolutely no reason to use encryption; hashing would do just fine. However, there may be cases when you need to be able to decrypt passwords (e.g. you may need to pass users credentials to third party apps). This is the only case, in which the use of encryption would be justified for password storage.

使用对称(或非对称)加密的主要原因不建议用于保护密码:密钥管理。使用加密时,必须保护加密密钥(或从中导出密钥的熵)。保护密钥是一项非常困难的任务。散列(使用SHA,MD5或任何其他算法)解决了密钥保护问题,因为您不需要保留任何秘密值(盐除了盐,但盐的敏感性明显低于加密密钥;您可以存储盐纯文本)。因此,如果您只保留用于身份验证的密码(由您的应用执行),则绝对没有理由使用加密;哈希会做得很好。但是,可能存在需要能够解密密码的情况(例如,您可能需要将用户凭据传递给第三方应用程序)。这是唯一一种使用加密来证明密码存储的理由。

#1


36  

If you store a password encrypted, it can be decrypted. Since many people reuse passwords across many different systems, this is a bad thing. So you use a one-way function, a cryptographic hash function - this way a password can be verified without actually being revealed.

如果您存储加密的密码,则可以对其进行解密。由于许多人在许多不同的系统中重用密码,这是一件坏事。因此,您使用单向函数,加密哈希函数 - 这样就可以验证密码而无需实际显示。

As Greg commented, AES is an encryption/decryption algorithm. MD5 and the SHA family are hash functions, which are the more appropriate ones to use. But steer clear of MD5 nowadays - it's not really seen as secure enough any more. Xiaoyun Wang published an effective collision attack against it in 2005, and its strength is now seen as considerably below its design strength - thus in cryptographic terms it is "broken".

正如Greg评论的那样,AES是一种加密/解密算法。 MD5和SHA系列是哈希函数,它们更适合使用。但现在避开MD5 - 它已经不再那么安全了。王晓云于2005年发表了针对它的有效碰撞攻击,其强度现在远远低于其设计强度 - 因此在加密方面它被“打破”。

For best results, the standard is to salt and hash a password to store it - google these terms in tandem and you'll find numerous references.

为了获得最佳效果,标准是对密码进行加密和散列以存储密码 - 将这些条款串联起来,您会发现许多引用。

#2


6  

MD5 (Message-Digest algorithm 5) is a cryptographic hash function, while Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm, so they are used for different purposes. A hash, like MD5 or SHA is used to verify passwords because it's hard to invert, that is, to obtain the password from the hash-string. An AES encryption, on the other hand, is invertible, the original message can be obtained if you know the key. So, if multiple messages are encrypted with the same key, knowing it exposes all of them, whereas if you manage to find a hash's original string(rainbow tables, etc), you've only discovered the plain text for that particular instance, and you'll have to redo the work to find a sollution for another hash-string.

MD5(消息摘要算法5)是加密散列函数,而高级加密标准(AES)是对称密钥加密算法,因此它们用于不同目的。哈希(如MD5或SHA)用于验证密码,因为它很难反转,即从哈希字符串中获取密码。另一方面,AES加密是可逆的,如果您知道密钥,则可以获得原始消息。因此,如果多个消息使用相同的密钥加密,知道它会暴露所有消息,而如果您设法找到散列的原始字符串(彩虹表等),您只发现该特定实例的纯文本,并且你将不得不重做工作,找到另一个哈希字符串的sollution。

#3


4  

In short: AES is reversable. A hash function is not.

简而言之:AES是可逆的。哈希函数不是。

In response to the accepted answer... (sorry, I'm a new user, can't post comments yet...) Salting only prevents Rainbow Table based attacks. It does not protect "weak passwords". To protect the weaker passwords, you will need to use a hash function that has been proven to be slow. A properly configured bcrypt is the easiest way to do this. MD5 and SHA1 are too fast to be secure. (The collisions found with MD5 are unrelated to this problem I'm describing)

回答接受的答案......(对不起,我是新用户,还不能发表评论......)Salting只能阻止基于Rainbow Table的攻击。它不保护“弱密码”。为了保护较弱的密码,您需要使用已被证明很慢的哈希函数。正确配置的bcrypt是最简单的方法。 MD5和SHA1太快而不安全。 (与MD5发现的碰撞与我所描述的这个问题无关)

All 8-character passwords encrypted with MD5 or SHA1 (even when properly salted) can be cracked by this dude in a single day. Salting does NOT prevent this kind of attack. "Optimizing" the attack to consist of only the ~500k words in the english language... and the 10,000 most common variations of them will crack a huge number of passwords.

所有使用MD5或SHA1加密的8个字符的密码(即使正确腌制)都可以在一天之内被这个家伙破解。腌制不会阻止这种攻击。 “优化”攻击仅由英语中的~500k字组成......而其中10,000种最常见的变体将破解大量密码。

BCrypt is stronger against this kind of attack because it (can be configured to be) millions of times slower than MD5. Iteratively using MD5 a million times will theoretically achieve the same thing, but I suggest you stick with well tested libraries instead of rolling your own implementation. BCrypt uses Salting as well of course, and is available in most programming languages. So no reason to NOT use it.

BCrypt对这种攻击更强,因为它(可以配置为)比MD5慢几百万倍。迭代地使用MD5一百万次理论上会实现同样的目的,但我建议你坚持使用经过良好测试的库而不是滚动自己的实现。 BCrypt当然也使用Salting,并且在大多数编程语言中都可用。所以没有理由不使用它。

In theory, SCrypt is better, but its too new (and therefore, implementations are probably still a little buggy)

从理论上讲,SCrypt更好,但它太新了(因此,实现可能仍然有点小问题)

Long story short: SHA512 vs. Blowfish and Bcrypt

长话短说:SHA512与Blowfish和Bcrypt

#4


1  

Because AES encryption is symmetric. Given a password encrypted with AES and the key, you can decrypt the password. This is undesirable, because you almost always want only the owner of the password to know it and don't want to have an easy way to derive the password. The SHA and MD5 algorithms, on the other hand, perform a (mostly) one-way transformation of the password. There is no piece of information (key) that allows you to return the transformed password back to its plaintext form.

因为AES加密是对称的。给定使用AES和密钥加密的密码,您可以解密密码。这是不可取的,因为您几乎总是只想要密码的所有者知道它,并且不希望有一种简单的方法来获取密码。另一方面,SHA和MD5算法执行(大部分)密码的单向转换。没有任何信息(密钥)允许您将转换后的密码返回到其明文形式。

#5


1  

The use of AES as a symmetric cipher for passwords would be a volation of CWE-257 and there for a vulnerability. It is possible to use a symmetric cipher as a hash function. Old unix passwords use DES as a hash function and newer unix systems use blowfish as a hash function. But even though its a block cipher, its being used as a one-way function, which is a requirement for any password storage system.

使用AES作为密码的对称密码将是CWE-257的声音,并存在漏洞。可以使用对称密码作为散列函数。旧的unix密码使用DES作为哈希函数,而较新的unix系统使用blowfish作为哈希函数。但即使它是一个分组密码,它也被用作单向函数,这是任何密码存储系统的要求。

For php you should use sha256.

对于php你应该使用sha256。

#6


1  

The main reason why using symmetric (or asymmetric) encryption is not advisable for protecting passwords is: key management. When using encryption, you must protect the encryption key (or the entropies from which the key is derived). And protecting the key is a very difficult task to solve. Hashing (with SHA, MD5, or any other algorithm) solves the problem of key protection, because you don't need to keep any secret value (other than salt, but salt is significantly less sensitive than encryption key; you can store salt in plain text). So if you only keep passwords for authentication purposes (performed by your app), there is absolutely no reason to use encryption; hashing would do just fine. However, there may be cases when you need to be able to decrypt passwords (e.g. you may need to pass users credentials to third party apps). This is the only case, in which the use of encryption would be justified for password storage.

使用对称(或非对称)加密的主要原因不建议用于保护密码:密钥管理。使用加密时,必须保护加密密钥(或从中导出密钥的熵)。保护密钥是一项非常困难的任务。散列(使用SHA,MD5或任何其他算法)解决了密钥保护问题,因为您不需要保留任何秘密值(盐除了盐,但盐的敏感性明显低于加密密钥;您可以存储盐纯文本)。因此,如果您只保留用于身份验证的密码(由您的应用执行),则绝对没有理由使用加密;哈希会做得很好。但是,可能存在需要能够解密密码的情况(例如,您可能需要将用户凭据传递给第三方应用程序)。这是唯一一种使用加密来证明密码存储的理由。