如何在Java中散列密码?

我需要对密码进行哈希处理以存储在数据库中。如何用Java做到这一点?

我希望使用纯文本密码,添加随机盐,然后将盐和哈希密码存储在数据库中。

然后,当用户想要登录时,我可以使用其提交的密码,从其帐户信息中添加随机盐,对其进行哈希处理,然后查看其是否等同于其帐户信息所存储的哈希密码。

回答:

实际上,你可以使用Java运行时内置的工具来执行此操作。Java 6中的SunJCE支持PBKDF2,这是用于密码哈希的一种很好的算法。

byte[] salt = new byte[16];

random.nextBytes(salt);

KeySpec spec = new PBEKeySpec("password".toCharArray(), salt, 65536, 128);

SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");

byte[] hash = f.generateSecret(spec).getEncoded();

Base64.Encoder enc = Base64.getEncoder();

System.out.printf("salt: %s%n", enc.encodeToString(salt));

System.out.printf("hash: %s%n", enc.encodeToString(hash));

这是可用于PBKDF2密码身份验证的实用程序类:

import java.security.NoSuchAlgorithmException;

import java.security.SecureRandom;

import java.security.spec.InvalidKeySpecException;

import java.security.spec.KeySpec;

import java.util.Arrays;

import java.util.Base64;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

import javax.crypto.SecretKeyFactory;

import javax.crypto.spec.PBEKeySpec;

/**

* Hash passwords for storage, and test passwords against password tokens.

*

* Instances of this class can be used concurrently by multiple threads.

*

* @author erickson

* @see <a href="http://stackoverflow.com/a/2861125/3474">StackOverflow</a>

*/

public final class PasswordAuthentication

{

/**

* Each token produced by this class uses this identifier as a prefix.

*/

public static final String ID = "$31$";

/**

* The minimum recommended cost, used by default

*/

public static final int DEFAULT_COST = 16;

private static final String ALGORITHM = "PBKDF2WithHmacSHA1";

private static final int SIZE = 128;

private static final Pattern layout = Pattern.compile("\\$31\\$(\\d\\d?)\\$(.{43})");

private final SecureRandom random;

private final int cost;

public PasswordAuthentication()

{

this(DEFAULT_COST);

}

/**

* Create a password manager with a specified cost

*

* @param cost the exponential computational cost of hashing a password, 0 to 30

*/

public PasswordAuthentication(int cost)

{

iterations(cost); /* Validate cost */

this.cost = cost;

this.random = new SecureRandom();

}

private static int iterations(int cost)

{

if ((cost < 0) || (cost > 30))

throw new IllegalArgumentException("cost: " + cost);

return 1 << cost;

}

/**

* Hash a password for storage.

*

* @return a secure authentication token to be stored for later authentication

*/

public String hash(char[] password)

{

byte[] salt = new byte[SIZE / 8];

random.nextBytes(salt);

byte[] dk = pbkdf2(password, salt, 1 << cost);

byte[] hash = new byte[salt.length + dk.length];

System.arraycopy(salt, 0, hash, 0, salt.length);

System.arraycopy(dk, 0, hash, salt.length, dk.length);

Base64.Encoder enc = Base64.getUrlEncoder().withoutPadding();

return ID + cost + '$' + enc.encodeToString(hash);

}

/**

* Authenticate with a password and a stored password token.

*

* @return true if the password and token match

*/

public boolean authenticate(char[] password, String token)

{

Matcher m = layout.matcher(token);

if (!m.matches())

throw new IllegalArgumentException("Invalid token format");

int iterations = iterations(Integer.parseInt(m.group(1)));

byte[] hash = Base64.getUrlDecoder().decode(m.group(2));

byte[] salt = Arrays.copyOfRange(hash, 0, SIZE / 8);

byte[] check = pbkdf2(password, salt, iterations);

int zero = 0;

for (int idx = 0; idx < check.length; ++idx)

zero |= hash[salt.length + idx] ^ check[idx];

return zero == 0;

}

private static byte[] pbkdf2(char[] password, byte[] salt, int iterations)

{

KeySpec spec = new PBEKeySpec(password, salt, iterations, SIZE);

try {

SecretKeyFactory f = SecretKeyFactory.getInstance(ALGORITHM);

return f.generateSecret(spec).getEncoded();

}

catch (NoSuchAlgorithmException ex) {

throw new IllegalStateException("Missing algorithm: " + ALGORITHM, ex);

}

catch (InvalidKeySpecException ex) {

throw new IllegalStateException("Invalid SecretKeyFactory", ex);

}

}

/**

* Hash a password in an immutable {@code String}.

*

* <p>Passwords should be stored in a {@code char[]} so that it can be filled

* with zeros after use instead of lingering on the heap and elsewhere.

*

* @deprecated Use {@link #hash(char[])} instead

*/

@Deprecated

public String hash(String password)

{

return hash(password.toCharArray());

}

/**

* Authenticate with a password in an immutable {@code String} and a stored

* password token.

*

* @deprecated Use {@link #authenticate(char[],String)} instead.

* @see #hash(String)

*/

@Deprecated

public boolean authenticate(String password, String token)

{

return authenticate(password.toCharArray(), token);

}

}

以上是 如何在Java中散列密码? 的全部内容, 来源链接: utcz.com/qa/404776.html

回到顶部