2017-10-14 79 views
3

我正在更新舊的經典ASP網站,我需要存儲密碼,所以很自然地,我正在對經典ASP的侷限性如何去解決這個問題稍微謹慎。散列前加密sal密碼。好主意?

我正在使用鹽和胡椒(胡椒是一個常數存儲在服務器上,而不是在數據庫中),我只是想知道,是否有任何洗牌/擾亂字符的任何好處哈希之前的「胡椒+密碼+鹽」字符串?

我寫了一個函數,可以基於預定義(祕密)數字序列(序列也存儲在服務器上,而不是數據庫中)來打亂任何長度的字符串。所以函數總是會返回相同的擾碼值,而不是隨機的擾碼值(這當然是沒有用的)。

我一直在閱讀很多關於密碼salting的內容,但是我從來沒有見過任何人提出過在哈希之前加密的密碼。但對我來說,這似乎是一個很大的額外安全級別。

想知道別人怎麼看?

這裏的加擾功能(它是用VBScript):

Function ScrambleSalt(the_str) 

    '// Once you've joined the pepper + password + salt, you pass it through the "ScrambleSalt" function before 
    '// hashing. The "ScrambleSalt" function will scramble any string based on a pre-set sequence of numbers. 
    '// The sequence is imported from a txt file (kept in an offline folder, just like the pepper). 

    '// The sequence needs to be an incremental collection of numbers (starting from 1) but in a random order 
    '// and comma delimited. Here's and example with 1 to 50, although the actual sequence uses 1 - 500: 

    '// 22,8,21,45,49,42,3,36,11,47,19,9,15,23,40,16,29,31,43,38,44,4,41,13,35,26,17,14,10,28,6,5,34,12,39,1, 
    '// 30,46,32,7,27,48,33,25,18,2,50,20,24,37 

    '// (^ the numbers 1 to 50 in a random order) 

    '// How the scrambling process works (using the above example sequence) is by rearranging the characters in 
    '// the string so that characters 22 appears first, followed by character 8, then character 21 etc, etc... 
    '// the function cycles through the sequence ignoring any numbers that are larger than the length of the 
    '// string until the characters in the string have all been rearranged (scrambled). 

    '// If a string is more than 50 characters long, it will be split into individual strings, each containing 
    '// 50 characters (or a remainder in the case of the last string). 

    '// So if the length of the string is 120 characters long, it will be split into 3 string: 

    '// String 1 = 50 chars (chars 1 - 50) 
    '// String 2 = 50 chars (chars 51 - 100) 
    '// String 3 = 20 chars (chars 101 - 120) 

    '// Each string will be scrambled, then joined back together before being returned by the function. 
    '// Using this method means the function can scramble strings of any length and without limit. 

    Dim scramble_sequence, sequence_array, scramble_loop, in_loop_str, scrambled_str 
    scramble_sequence = file_get_contents(request.ServerVariables("APPL_PHYSICAL_PATH") & "/../keys/scramble_sequence.txt") 
    sequence_array = split(scramble_sequence,",") 
    scramble_loop = Ceil(len(the_str),uBound(sequence_array)+1) '// round up 
    for fx = 0 to scramble_loop-1 
     in_loop_str = mid(the_str,fx*(uBound(sequence_array)+1)+1,uBound(sequence_array)+1) 
     for fy = 0 to uBound(sequence_array) 
      if int(sequence_array(fy)) =< len(in_loop_str) then 
       scrambled_str = scrambled_str & mid(in_loop_str,int(sequence_array(fy)),1) 
      end if 
     next 
    next 
    ScrambleSalt = scrambled_str 

End Function 

function Ceil(dividend, divider) ' for rounding up a number 
    if (dividend mod divider) = 0 Then 
     Ceil = dividend/divider 
    else 
     Ceil = Int(dividend/divider) + 1 
    end if 
End function 

function file_get_contents(file_path) 
    Set fs = Server.CreateObject("Scripting.FileSystemObject") 
    Set f = fs.OpenTextFile(file_path,1) 
     file_get_contents = f.ReadAll 
    f.Close : Set f = Nothing : Set fs = Nothing 
end function 

在動作上面的函數的一個例子

pepper value used for this example = "XC3Qpm7CNXauwAbX" 
scramble sequence used for this example = "9,39,50,43,18,11,36,7,29,41,27,34,12,45,1,14,42,13,6,4,25,19,24,33,30,20,23,10,46,16,49,38,15,5,17,8,47,28,26,3,2,40,37,44,35,32,48,22,31,21" 

password = "[email protected]" 
salt = "G1sWNd0andiIhOYA" 

concatenated pepper+password+salt: 
[email protected] 

scrambled using the example sequence: 
[email protected] 

SHA512 Hash: 
9d5a7781eeb815250c55c1a1f172c569b3b6167a48951c819e4982bea9b84bd8ecad6a417ff8f110541a1039ddf1fd8daa61a52a7c401fccae71dda77c607540 
+0

鹽的目的是渲染彩虹桌無用(因爲攻擊者必須重新計算每個散列他們想要破解的散列)。鹽是否爲攻擊者所知是無關緊要的。你的方法對你有什​​麼好處? –

+0

我瞭解鹽的用途(它將存儲在哈希密碼旁邊)。如果數據庫遭到破壞,黑客可能會針對一個帳戶並重建彩虹表來執行鹽分。我的想法是,加密密碼+鹽而不是僅僅連接兩者會使這幾乎不可能,除非他們能夠訪問網站源代碼以及數據庫......我也意識到這是過度的,但它似乎就像一個很好的附加安全級別。 – Adam

+0

重建彩虹表本質上與強制散列相同。無論如何,攻擊者可以做什麼。 –

回答

0

如果有人獲得了訪問數據庫,他們也可以得到如果它們位於同一臺服務器上,則可以訪問您的腳本。