一:Hash +Salt 撒盐法
using System; using System.Text; using System.Security.Cryptography; namespace PasswordHash { /// <summary> /// 咸的密码散列pbkdf2-sha1。 /// Compatibility: .NET 3.0 and later. /// </summary> public class PasswordHash { // 下列常数可以在不破坏现有的哈希值的变化。 public const int SALT_BYTE_SIZE = 24; public const int HASH_BYTE_SIZE = 24; public const int PBKDF2_ITERATIONS = 1000; public const int ITERATION_INDEX = 0; public const int SALT_INDEX = 1; public const int PBKDF2_INDEX = 2; /// <summary> /// 创建一个咸PBKDF2散列密码。 /// </summary> /// <param name="password">散列密码。</param> /// <returns>密码的散列。</returns> public static string CreateHash(string password) { // 产生一个随机的盐 RNGCryptoServiceProvider csprng = new RNGCryptoServiceProvider(); byte[] salt = new byte[SALT_BYTE_SIZE]; csprng.GetBytes(salt); // 散列密码,并对参数进行编码 byte[] hash = PBKDF2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE); return PBKDF2_ITERATIONS + ":" + Convert.ToBase64String(salt) + ":" + Convert.ToBase64String(hash); } /// <summary> /// 验证给定一个正确的哈希的密码。 /// </summary> /// <param name="password">检查密码。</param> /// <param name="correctHash">正确密码的散列。</param> /// <returns>如果密码正确的话。否则为假。</returns> public static bool ValidatePassword(string password, string correctHash) { // 从散列中提取参数 char[] delimiter = { ':' }; string[] split = correctHash.Split(delimiter); int iterations = Int32.Parse(split[ITERATION_INDEX]); byte[] salt = Convert.FromBase64String(split[SALT_INDEX]); byte[] hash = Convert.FromBase64String(split[PBKDF2_INDEX]); byte[] testHash = PBKDF2(password, salt, iterations, hash.Length); return SlowEquals(hash, testHash); } /// <summary> /// 比较两个字节数组的长度常数时间。这种比较 /// 方法是用这样的密码哈希值不能提取 /// 上线系统使用定时攻击,然后攻击离线。 /// </summary> /// <param name="a">第一字节数组。</param> /// <param name="b">第二字节数组。</param> /// <returns>如果两个字节数组都相等,则为真。否则为假。</returns> private static bool SlowEquals(byte[] a, byte[] b) { uint diff = (uint)a.Length ^ (uint)b.Length; for (int i = 0; i < a.Length && i < b.Length; i++) diff |= (uint)(a[i] ^ b[i]); return diff == 0; } /// <summary> /// 计算密码的哈希pbkdf2-sha1。 /// </summary> /// <param name="password">散列密码。</param> /// <param name="salt">盐。</param> /// <param name="iterations">该PBKDF2迭代次数。</param> /// <param name="outputBytes">散列来生成的长度,以字节为单位的。</param> /// <returns>密码的散列。</returns> private static byte[] PBKDF2(string password, byte[] salt, int iterations, int outputBytes) { Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(password, salt); pbkdf2.IterationCount = iterations; return pbkdf2.GetBytes(outputBytes); } } }
二:对PassWord进行MD5单向加密
1):
System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(msg, "MD5")
2):
/// <summary> /// MD5散列 /// </summary> public static string MD5(string inputStr) { MD5 md5 = new MD5CryptoServiceProvider(); byte[] hashByte = md5.ComputeHash(Encoding.UTF8.GetBytes(inputStr)); StringBuilder sb = new StringBuilder(); foreach (byte item in hashByte) sb.Append(item.ToString("x").PadLeft(2, '0')); return sb.ToString(); }