最近在写用户管理相关的微服务,其中比较重要的问题是如何保存用户的密码,加盐哈希是一种常见的做法。知乎上有个问题大家可以先读一下: 加盐密码保存的最通用方法是?
对于每个用户的密码,都应该使用独一无二的盐值,每当新用户注册或者修改密码时,都应该使用新的盐值进行加密,并且这个盐值应该足够长,使得有足够的盐值以供加密。随着彩虹表的出现及不断增大,MD5算法不建议再使用了。
存储密码的步骤
- 使用基于加密的伪随机数生成器(Cryptographically Secure Pseudo-Random Number Generator – CSPRNG)生成一个足够长的盐值,如Java中的java.security.SecureRandom
- 将盐值混入密码(常用的做法是置于密码之前),并使用标准的加密哈希函数进行加密,如SHA256
- 把哈希值和盐值一起存入数据库中对应此用户的那条记录
校验密码的步骤
- 从数据库取出用户的密码哈希值和对应盐值
- 将盐值混入用户输入的密码,并使用相同的哈希函数进行加密
- 比较上一步结果和哈希值是否相同,如果相同那么密码正确,反之密码错误
加盐使攻击者无法采用特定的查询表或彩虹表快速破解大量哈希值,但不能阻止字典攻击或暴力攻击。这里假设攻击者已经获取到用户数据库,意味着攻击者知道每个用户的盐值,根据Kerckhoffs’s principle,应该假设攻击者知道用户系统使用密码加密算法,如果攻击者使用高端GPU或定制的ASIC,每秒可以进行数十亿次哈希计算,针对每个用户进行字典查询的效率依旧很高效。
为了降低这类攻击,可以用一种叫做密钥扩展的技术,让哈希函数变得很慢,即使GPU或ASIC字典攻击或暴力攻击也会慢得让攻击者无法接受。密钥扩展的实现依赖一种CPU密集型哈希函数,如PBKDF2和本文将要介绍的Bcrypt。这类函数使用一个安全因子或迭代次数作为参数,该值决定了哈希函数会有多慢。
Bcrypt
Bcrypt是由Niels Provos和DavidMazières基于Blowfish密码设计的一种密码散列函数,于1999年在USENIX上发布。
wikipedia上Bcrypt词条中有该算法的伪代码:
Function bcrypt
Input:
cost: Number (4..31) // 该值决定了密钥扩展的迭代次数 Iterations = 2^cost
salt: array of Bytes (16 bytes) // 随机数
password: array of Bytes (1..72 bytes) // 用户密码
Output:
hash: array of Bytes (24 bytes) // 返回的哈希值
// 使用Expensive key setup算法初始化Blowfish状态
state <- EksBlowfishSetup(cost, salt, password) // 这一步是整个算法中最耗时的步骤
ctext <- "OrpheanBeholderScryDoubt" // 24 bytes,初始向量
repeat (64)
ctext <- EncryptECB(state, ctext) // 使用 blowfish 算法的ECB模式进行加密
return Concatenate(cost, salt, ctext)
// Expensive key setup
Function EksBlowfishSetup
Input:
cost: Number (4..31)
salt: array of Bytes (16 bytes)
password: array of Bytes (1..72 bytes)
Output:
state: opaque BlowFish state structure
state <- InitialState()
state <- ExpandKey(state, salt, password)
repeat (2 ^ cost) // 计算密集型
state <- ExpandKey(state, 0, password)
state <- ExpandKey(state, 0, salt)
return state
Function ExpandKey(state, salt, password)
Input:
state: Opaque BlowFish state structure // 内部包含 P-array 和 S-box
salt: array of Bytes (16 bytes)
password: array of Bytes (1..72 bytes)
Output:
state: Opaque BlowFish state structure
// ExpandKey 是对输入参数进行固定的移位异或等运算,这里不列出
通过伪代码可以看出,通过制定不同的cost值,可以使得EksBlowfishSetup的运算次数大幅提升,从而达到慢哈希的目的。
Spring Security 中的 Bcrypt
理解了Bcrypt算法的原理,再来看Spring Security中的实现就很简单了。
package org.springframework.security.crypto.bcrypt;
...省略import...
public class BCryptPasswordEncoder implements PasswordEncoder {
...省略log...
<span class="kd">private</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">strength</span><span class="o">;</span> <span class="c1">// 相当于wiki伪代码中的cost,默认为10</span>
<span class="kd">private</span> <span class="kd">final</span> <span class="n">SecureRandom</span> <span class="n">random</span><span class="o">;</span> <span class="c1">// CSPRNG</span>
<span class="c1">// 构造函数</span>
<span class="kd">public</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">()</span> <span class="o">{</span>
<span class="k">this</span><span class="o">(-</span><span class="mi">1</span><span class="o">);</span>
<span class="o">}</span>
<span class="c1">// 相当于伪代码中的cost, 长度 4 ~ 31</span>
<span class="kd">public</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">(</span><span class="kt">int</span> <span class="n">strength</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">(</span><span class="n">strength</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span>
<span class="o">}</span>
<span class="c1">// 构造函数</span>
<span class="kd">public</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">(</span><span class="kt">int</span> <span class="n">strength</span><span class="o">,</span> <span class="n">SecureRandom</span> <span class="n">random</span><span class="o">)</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">strength</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span> <span class="o">&&</span> <span class="o">(</span><span class="n">strength</span> <span class="o"><</span> <span class="n">BCrypt</span><span class="o">.</span><span class="na">MIN_LOG_ROUNDS</span> <span class="o">||</span> <span class="n">strength</span> <span class="o">></span> <span class="n">BCrypt</span><span class="o">.</span><span class="na">MAX_LOG_ROUNDS</span><span class="o">))</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"Bad strength"</span><span class="o">);</span>
<span class="o">}</span>
<span class="k">this</span><span class="o">.</span><span class="na">strength</span> <span class="o">=</span> <span class="n">strength</span><span class="o">;</span>
<span class="k">this</span><span class="o">.</span><span class="na">random</span> <span class="o">=</span> <span class="n">random</span><span class="o">;</span>
<span class="o">}</span>
<span class="c1">// 加密函数</span>
<span class="kd">public</span> <span class="n">String</span> <span class="nf">encode</span><span class="o">(</span><span class="n">CharSequence</span> <span class="n">rawPassword</span><span class="o">)</span> <span class="o">{</span>
<span class="n">String</span> <span class="n">salt</span><span class="o">;</span>
<span class="k">if</span> <span class="o">(</span><span class="n">strength</span> <span class="o">></span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">random</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
<span class="n">salt</span> <span class="o">=</span> <span class="n">BCrypt</span><span class="o">.</span><span class="na">gensalt</span><span class="o">(</span><span class="n">strength</span><span class="o">,</span> <span class="n">random</span><span class="o">);</span>
<span class="o">}</span>
<span class="k">else</span> <span class="o">{</span>
<span class="n">salt</span> <span class="o">=</span> <span class="n">BCrypt</span><span class="o">.</span><span class="na">gensalt</span><span class="o">(</span><span class="n">strength</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
<span class="k">else</span> <span class="o">{</span>
<span class="n">salt</span> <span class="o">=</span> <span class="n">BCrypt</span><span class="o">.</span><span class="na">gensalt</span><span class="o">();</span>
<span class="o">}</span>
<span class="k">return</span> <span class="n">BCrypt</span><span class="o">.</span><span class="na">hashpw</span><span class="o">(</span><span class="n">rawPassword</span><span class="o">.</span><span class="na">toString</span><span class="o">(),</span> <span class="n">salt</span><span class="o">);</span>
<span class="o">}</span>
<span class="c1">// 密码匹配函数</span>
<span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">matches</span><span class="o">(</span><span class="n">CharSequence</span> <span class="n">rawPassword</span><span class="o">,</span> <span class="n">String</span> <span class="n">encodedPassword</span><span class="o">)</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">encodedPassword</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">||</span> <span class="n">encodedPassword</span><span class="o">.</span><span class="na">length</span><span class="o">()</span> <span class="o">==</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span>
<span class="n">logger</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Empty encoded password"</span><span class="o">);</span>
<span class="k">return</span> <span class="kc">false</span><span class="o">;</span>
<span class="o">}</span>
<span class="k">if</span> <span class="o">(!</span><span class="n">BCRYPT_PATTERN</span><span class="o">.</span><span class="na">matcher</span><span class="o">(</span><span class="n">encodedPassword</span><span class="o">).</span><span class="na">matches</span><span class="o">())</span> <span class="o">{</span>
<span class="n">logger</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Encoded password does not look like BCrypt"</span><span class="o">);</span>
<span class="k">return</span> <span class="kc">false</span><span class="o">;</span>
<span class="o">}</span>
<span class="k">return</span> <span class="n">BCrypt</span><span class="o">.</span><span class="na">checkpw</span><span class="o">(</span><span class="n">rawPassword</span><span class="o">.</span><span class="na">toString</span><span class="o">(),</span> <span class="n">encodedPassword</span><span class="o">);</span>
<span class="o">}</span>
}
package org.springframework.security.crypto.bcrypt;
public class BCrypt {
<span class="c1">// 生成盐值的函数 "$2a$" + 2字节log_round + "$" + 22字节随机数Base64编码</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="n">String</span> <span class="nf">gensalt</span><span class="o">(</span><span class="kt">int</span> <span class="n">log_rounds</span><span class="o">,</span> <span class="n">SecureRandom</span> <span class="n">random</span><span class="o">)</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">log_rounds</span> <span class="o"><</span> <span class="n">MIN_LOG_ROUNDS</span> <span class="o">||</span> <span class="n">log_rounds</span> <span class="o">></span> <span class="n">MAX_LOG_ROUNDS</span><span class="o">)</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"Bad number of rounds"</span><span class="o">);</span>
<span class="o">}</span>
<span class="n">StringBuilder</span> <span class="n">rs</span> <span class="o">=</span> <span class="k">new</span> <span class="n">StringBuilder</span><span class="o">();</span>
<span class="kt">byte</span> <span class="n">rnd</span><span class="o">[]</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="n">BCRYPT_SALT_LEN</span><span class="o">];</span>
<span class="n">random</span><span class="o">.</span><span class="na">nextBytes</span><span class="o">(</span><span class="n">rnd</span><span class="o">);</span>
<span class="n">rs</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"$2a$"</span><span class="o">);</span>
<span class="k">if</span> <span class="o">(</span><span class="n">log_rounds</span> <span class="o"><</span> <span class="mi">10</span><span class="o">)</span> <span class="o">{</span>
<span class="n">rs</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"0"</span><span class="o">);</span>
<span class="o">}</span>
<span class="n">rs</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">log_rounds</span><span class="o">);</span>
<span class="n">rs</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"$"</span><span class="o">);</span>
<span class="n">encode_base64</span><span class="o">(</span><span class="n">rnd</span><span class="o">,</span> <span class="n">rnd</span><span class="o">.</span><span class="na">length</span><span class="o">,</span> <span class="n">rs</span><span class="o">);</span>
<span class="k">return</span> <span class="n">rs</span><span class="o">.</span><span class="na">toString</span><span class="o">();</span> <span class="c1">// 总长度29字节</span>
<span class="o">}</span>
<span class="cm">/**
* Hash a password using the OpenBSD bcrypt scheme
* @param password the password to hash
* @param salt the salt to hash with (perhaps generated using BCrypt.gensalt)
* @return the hashed password
* @throws IllegalArgumentException if invalid salt is passed
*/</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="n">String</span> <span class="nf">hashpw</span><span class="o">(</span><span class="n">String</span> <span class="n">password</span><span class="o">,</span> <span class="n">String</span> <span class="n">salt</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">IllegalArgumentException</span> <span class="o">{</span>
<span class="c1">// 该函数在验证阶段也会用到,因为前29字节为盐值,所以可以将之前计算过的密码哈希值做为盐值</span>
<span class="n">BCrypt</span> <span class="n">B</span><span class="o">;</span>
<span class="n">String</span> <span class="n">real_salt</span><span class="o">;</span>
<span class="kt">byte</span> <span class="n">passwordb</span><span class="o">[],</span> <span class="n">saltb</span><span class="o">[],</span> <span class="n">hashed</span><span class="o">[];</span>
<span class="kt">char</span> <span class="n">minor</span> <span class="o">=</span> <span class="o">(</span><span class="kt">char</span><span class="o">)</span> <span class="mi">0</span><span class="o">;</span>
<span class="kt">int</span> <span class="n">rounds</span><span class="o">,</span> <span class="n">off</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span>
<span class="n">StringBuilder</span> <span class="n">rs</span> <span class="o">=</span> <span class="k">new</span> <span class="n">StringBuilder</span><span class="o">();</span>
<span class="k">if</span> <span class="o">(</span><span class="n">salt</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"salt cannot be null"</span><span class="o">);</span>
<span class="o">}</span>
<span class="kt">int</span> <span class="n">saltLength</span> <span class="o">=</span> <span class="n">salt</span><span class="o">.</span><span class="na">length</span><span class="o">();</span>
<span class="k">if</span> <span class="o">(</span><span class="n">saltLength</span> <span class="o"><</span> <span class="mi">28</span><span class="o">)</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"Invalid salt"</span><span class="o">);</span>
<span class="o">}</span>
<span class="k">if</span> <span class="o">(</span><span class="n">salt</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="mi">0</span><span class="o">)</span> <span class="o">!=</span> <span class="sc">'$'</span> <span class="o">||</span> <span class="n">salt</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="o">!=</span> <span class="sc">'2'</span><span class="o">)</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"Invalid salt version"</span><span class="o">);</span>
<span class="o">}</span>
<span class="k">if</span> <span class="o">(</span><span class="n">salt</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="mi">2</span><span class="o">)</span> <span class="o">==</span> <span class="sc">'$'</span><span class="o">)</span> <span class="o">{</span>
<span class="n">off</span> <span class="o">=</span> <span class="mi">3</span><span class="o">;</span>
<span class="o">}</span>
<span class="k">else</span> <span class="o">{</span>
<span class="n">minor</span> <span class="o">=</span> <span class="n">salt</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="mi">2</span><span class="o">);</span>
<span class="k">if</span> <span class="o">(</span><span class="n">minor</span> <span class="o">!=</span> <span class="sc">'a'</span> <span class="o">||</span> <span class="n">salt</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="mi">3</span><span class="o">)</span> <span class="o">!=</span> <span class="sc">'$'</span><span class="o">)</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"Invalid salt revision"</span><span class="o">);</span>
<span class="o">}</span>
<span class="n">off</span> <span class="o">=</span> <span class="mi">4</span><span class="o">;</span>
<span class="o">}</span>
<span class="k">if</span> <span class="o">(</span><span class="n">saltLength</span> <span class="o">-</span> <span class="n">off</span> <span class="o"><</span> <span class="mi">25</span><span class="o">)</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"Invalid salt"</span><span class="o">);</span>
<span class="o">}</span>
<span class="c1">// Extract number of rounds</span>
<span class="k">if</span> <span class="o">(</span><span class="n">salt</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="n">off</span> <span class="o">+</span> <span class="mi">2</span><span class="o">)</span> <span class="o">></span> <span class="sc">'$'</span><span class="o">)</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalArgumentException</span><span class="o">(</span><span class="s">"Missing salt rounds"</span><span class="o">);</span>
<span class="o">}</span>
<span class="n">rounds</span> <span class="o">=</span> <span class="n">Integer</span><span class="o">.</span><span class="na">parseInt</span><span class="o">(</span><span class="n">salt</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="n">off</span><span class="o">,</span> <span class="n">off</span> <span class="o">+</span> <span class="mi">2</span><span class="o">));</span>
<span class="n">real_salt</span> <span class="o">=</span> <span class="n">salt</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="n">off</span> <span class="o">+</span> <span class="mi">3</span><span class="o">,</span> <span class="n">off</span> <span class="o">+</span> <span class="mi">25</span><span class="o">);</span>
<span class="k">try</span> <span class="o">{</span>
<span class="n">passwordb</span> <span class="o">=</span> <span class="o">(</span><span class="n">password</span> <span class="o">+</span> <span class="o">(</span><span class="n">minor</span> <span class="o">>=</span> <span class="sc">'a'</span> <span class="o">?</span> <span class="s">"