这几天因为CSDN明文密码泄露的事情闹得沸沸扬扬.在年关将至的时候火了一把.让我想起我们项目中的会员密码是如何保存的?
这部分代码是之前曹哥或张博士所留,平常虽然有看过,但也没有仔细研究,只记得有HASH有Salt(盐?).但到底如何实现,今天就当作复习了一下.
思路以前有所了解,首先产生一个5位数的Salt,然后将password和salt进行Hash.但是具体代码的实现,确实没有了解.
产生Salt:
/// <summary>
/// 产生随机的混入字符串
/// </summary>
/// <param name="length">产生的字符串的长度</param>
/// <returns>随机字符串</returns>
public static string CreateSalt(int length)
{
Random r = new Random();
StringBuilder sb = new StringBuilder(length);
for (int i = 0; i < length; i++)
{
sb.Append(constant[r.Next(constant.Length)]);
}
return sb.ToString();
}
在salt产生中使用了一个constant的数组:
private static char[] constant ={'0','1','2','3','4','5','6','7','8','9',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r',
's','t','u','v','w','x','y','z',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R',
'S','T','U','V','W','X','Y','Z' };
将password和salt混入并Hash:
/// <summary>
/// 混入并计算Hash值
/// </summary>
/// <param name="rawString">原始字符串</param>
/// <param name="salt">混入字符串</param>
/// <returns>混入后字符串的Hash值</returns>
public static string SaltAndHash(string rawString, string salt)
{
string plan = string.Concat(rawString, salt);
return plan.Hash();
}
hash算法:
/// <summary>
/// 计算字符串的Hash值
/// </summary>
/// <param name="planText">明文</param>
/// <returns>Hash值</returns>
public static string Hash(this string planText)
{
byte[] plan = Encoding.UTF8.GetBytes(planText);
SHA256 hasher = new SHA256Managed();
byte[] hashed = hasher.ComputeHash(plan);
return Convert.ToBase64String(hashed);
}