我需要散列密码以存储在数据库中。我怎样才能在 Java 中做到这一点?
我希望获取纯文本密码,添加随机盐,然后将盐和散列密码存储在数据库中。
然后当用户想要登录时,我可以获取他们提交的密码,从他们的帐户信息中添加随机盐,对其进行哈希处理,看看它是否等同于存储的哈希密码和他们的帐户信息。
您实际上可以使用 Java 运行时内置的工具来执行此操作。Java 6 中的 SunJCE 支持 PBKDF2,这是一个很好的密码散列算法。
byte[] salt = new byte[16]; random.nextBytes(salt); KeySpec spec = new PBEKeySpec("password".toCharArray(), salt, 65536, 128); SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); byte[] hash = f.generateSecret(spec).getEncoded(); Base64.Encoder enc = Base64.getEncoder(); System.out.printf("salt: %s%n", enc.encodeToString(salt)); System.out.printf("hash: %s%n", enc.encodeToString(hash));
这是一个可用于 PBKDF2 密码身份验证的实用程序类:
import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.security.spec.InvalidKeySpecException; import java.security.spec.KeySpec; import java.util.Arrays; import java.util.Base64; import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; /** * Hash passwords for storage, and test passwords against password tokens. * * Instances of this class can be used concurrently by multiple threads. * * @author erickson * @see <a href="http://stackoverflow.com/a/2861125/3474">StackOverflow</a> */ public final class PasswordAuthentication { /** * Each token produced by this class uses this identifier as a prefix. */ public static final String ID = "$31$"; /** * The minimum recommended cost, used by default */ public static final int DEFAULT_COST = 16; private static final String ALGORITHM = "PBKDF2WithHmacSHA1"; private static final int SIZE = 128; private static final Pattern layout = Pattern.compile("\\$31\\$(\\d\\d?)\\$(.{43})"); private final SecureRandom random; private final int cost; public PasswordAuthentication() { this(DEFAULT_COST); } /** * Create a password manager with a specified cost * * @param cost the exponential computational cost of hashing a password, 0 to 30 */ public PasswordAuthentication(int cost) { iterations(cost); /* Validate cost */ this.cost = cost; this.random = new SecureRandom(); } private static int iterations(int cost) { if ((cost < 0) || (cost > 30)) throw new IllegalArgumentException("cost: " + cost); return 1 << cost; } /** * Hash a password for storage. * * @return a secure authentication token to be stored for later authentication */ public String hash(char[] password) { byte[] salt = new byte[SIZE / 8]; random.nextBytes(salt); byte[] dk = pbkdf2(password, salt, 1 << cost); byte[] hash = new byte[salt.length + dk.length]; System.arraycopy(salt, 0, hash, 0, salt.length); System.arraycopy(dk, 0, hash, salt.length, dk.length); Base64.Encoder enc = Base64.getUrlEncoder().withoutPadding(); return ID + cost + '$' + enc.encodeToString(hash); } /** * Authenticate with a password and a stored password token. * * @return true if the password and token match */ public boolean authenticate(char[] password, String token) { Matcher m = layout.matcher(token); if (!m.matches()) throw new IllegalArgumentException("Invalid token format"); int iterations = iterations(Integer.parseInt(m.group(1))); byte[] hash = Base64.getUrlDecoder().decode(m.group(2)); byte[] salt = Arrays.copyOfRange(hash, 0, SIZE / 8); byte[] check = pbkdf2(password, salt, iterations); int zero = 0; for (int idx = 0; idx < check.length; ++idx) zero |= hash[salt.length + idx] ^ check[idx]; return zero == 0; } private static byte[] pbkdf2(char[] password, byte[] salt, int iterations) { KeySpec spec = new PBEKeySpec(password, salt, iterations, SIZE); try { SecretKeyFactory f = SecretKeyFactory.getInstance(ALGORITHM); return f.generateSecret(spec).getEncoded(); } catch (NoSuchAlgorithmException ex) { throw new IllegalStateException("Missing algorithm: " + ALGORITHM, ex); } catch (InvalidKeySpecException ex) { throw new IllegalStateException("Invalid SecretKeyFactory", ex); } } /** * Hash a password in an immutable {@code String}. * * <p>Passwords should be stored in a {@code char[]} so that it can be filled * with zeros after use instead of lingering on the heap and elsewhere. * * @deprecated Use {@link #hash(char[])} instead */ @Deprecated public String hash(String password) { return hash(password.toCharArray()); } /** * Authenticate with a password in an immutable {@code String} and a stored * password token. * * @deprecated Use {@link #authenticate(char[],String)} instead. * @see #hash(String) */ @Deprecated public boolean authenticate(String password, String token) { return authenticate(password.toCharArray(), token); } }