我现在已经阅读了许多页面,并且开始考虑哈希密码。
我创建了一个MS Access应用程序,该应用程序连接到VPS上的MYSQL后端。我为用户使用了强密码,仅允许通过远程MYSQL允许的来自静态IPS的连接,并且我正在使用带有证书和服务器密钥的SSL连接。
我的下一步是确保密码被正确地散列并保存,但这是我的难题:
我需要找到一种“相当强壮但又不是那么愚蠢以至于我现在无法使用的方式”来保存这些密码。
我正在处理用户名和地址以及可能的一些机密信息。
现在,我的理解(并且我是这种哈希技术的新手)是,我应该:-为每个新密码创建一个随机的SALT-将盐储存在表格中供用户使用-使用bCrypt或sCrypt(SALT + PASS)进行哈希处理-额外的安全性,我可以将HMAC与密钥(存储在其他服务器上)一起使用]
首先-我理解正确吗?
第二:-msAccess上的VBA上提供了bCrpyt或sCrypt,并且由于我有用户通过这种方法登录,所以我不知所措。-我确实找到了要购买的软件包(cryptoApi等),显然可以在VBA和php中访问这些软件包...
这里有任何想法或建议吗?php和vba显然都需要使用相同的系统。从任何标准来看,我当前的SHA1都不够好!
一些注意事项:
如果我们选择SHA512,则可以使用我之前共享的here哈希方法。该代码使用Windows CNG API,并在here中列出了允许的哈希算法以及相应的操作系统支持。呼叫就像HashString("SomePassword" & "SomeSalt")一样简单。它返回一个字节数组,为方便起见,您可以将其转换为Base64,但将其存储为二进制文件效率更高。
您可以使用相同的API生成随机数(盐)。我已经概述了一种针对整数的方法here,但是您可能想要生成随机字节,然后将字符串放在这些字节之前。
另一个挑战是字符编码。 PHP是UTF-8,Access是UTF-16,实际上并没有做UTF-8。如果将可能的字符限制为ASCII,则可以在VBA中使用StrConv将字符串强制转换为ANSI,并验证其中是否没有非ASCII字符。如果要在VBA中将字符串转换为UTF-8,则需要在散列之前使用另一个API调用(WideCharToMultiByte)。请注意,密码中的unicode有UX危险,因为某些操作系统将特殊字符表示为复合字符,而有些则不这样做,并且这种差异将导致密码不匹配,因此需要为保持ASCII进行争论。
请参见下面的哈希码:
Public Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "BCrypt.dll" (ByRef phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
Public Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "BCrypt.dll" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
Public Declare PtrSafe Function BCryptCreateHash Lib "BCrypt.dll" (ByVal hAlgorithm As LongPtr, ByRef phHash As LongPtr, pbHashObject As Any, ByVal cbHashObject As Long, ByVal pbSecret As LongPtr, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Public Declare PtrSafe Function BCryptHashData Lib "BCrypt.dll" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, Optional ByVal dwFlags As Long = 0) As Long
Public Declare PtrSafe Function BCryptFinishHash Lib "BCrypt.dll" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
Public Declare PtrSafe Function BCryptDestroyHash Lib "BCrypt.dll" (ByVal hHash As LongPtr) As Long
Public Declare PtrSafe Function BCryptGetProperty Lib "BCrypt.dll" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByRef pbOutput As Any, ByVal cbOutput As Long, ByRef pcbResult As Long, ByVal dfFlags As Long) As Long
Public Function NGHash(pData As LongPtr, lenData As Long, Optional HashingAlgorithm As String = "SHA1") As Byte()
'Erik A, 2019
'Hash data by using the Next Generation Cryptography API
'Loosely based on https://docs.microsoft.com/en-us/windows/desktop/SecCNG/creating-a-hash-with-cng
'Allowed algorithms: https://docs.microsoft.com/en-us/windows/desktop/SecCNG/cng-algorithm-identifiers. Note: only hash algorithms, check OS support
'Error messages not implemented
On Error GoTo VBErrHandler
Dim errorMessage As String
Dim hAlg As LongPtr
Dim algId As String
'Open crypto provider
algId = HashingAlgorithm & vbNullChar
If BCryptOpenAlgorithmProvider(hAlg, StrPtr(algId), 0, 0) Then GoTo ErrHandler
'Determine hash object size, allocate memory
Dim bHashObject() As Byte
Dim cmd As String
cmd = "ObjectLength" & vbNullString
Dim Length As Long
If BCryptGetProperty(hAlg, StrPtr(cmd), Length, LenB(Length), 0, 0) <> 0 Then GoTo ErrHandler
ReDim bHashObject(0 To Length - 1)
'Determine digest size, allocate memory
Dim hashLength As Long
cmd = "HashDigestLength" & vbNullChar
If BCryptGetProperty(hAlg, StrPtr(cmd), hashLength, LenB(hashLength), 0, 0) <> 0 Then GoTo ErrHandler
Dim bHash() As Byte
ReDim bHash(0 To hashLength - 1)
'Create hash object
Dim hHash As LongPtr
If BCryptCreateHash(hAlg, hHash, bHashObject(0), Length, 0, 0, 0) <> 0 Then GoTo ErrHandler
'Hash data
If BCryptHashData(hHash, ByVal pData, lenData) <> 0 Then GoTo ErrHandler
If BCryptFinishHash(hHash, bHash(0), hashLength, 0) <> 0 Then GoTo ErrHandler
'Return result
NGHash = bHash
ExitHandler:
'Cleanup
If hAlg <> 0 Then BCryptCloseAlgorithmProvider hAlg, 0
If hHash <> 0 Then BCryptDestroyHash hHash
Exit Function
VBErrHandler:
errorMessage = "VB Error " & Err.Number & ": " & Err.Description
ErrHandler:
If errorMessage <> "" Then MsgBox errorMessage
Resume ExitHandler
End Function
Public Function HashBytes(Data() As Byte, Optional HashingAlgorithm As String = "SHA512") As Byte()
HashBytes = NGHash(VarPtr(Data(LBound(Data))), UBound(Data) - LBound(Data) + 1, HashingAlgorithm)
End Function
Public Function HashString(str As String, Optional HashingAlgorithm As String = "SHA512") As Byte()
HashString = NGHash(StrPtr(str), Len(str) * 2, HashingAlgorithm)
End Function