鹽噪聲和胡椒噪聲的區別_為什么加一點鹽對您的密碼很有用（但不包括胡椒粉！）

鹽噪聲和胡椒噪聲的區別

A brief note - this article is about the theory of how to crack hashed passwords. Understanding how cybercriminals execute attacks is extremely important for understanding how to secure systems against those types of attacks.

簡要說明-本文是有關如何破解哈希密碼的理論。了解網絡罪犯如何執行攻擊對于了解如何保護系統免受這些類型的攻擊極為重要。

But attempting to hack a system you do not own is likely illegal in your jurisdiction (plus hacking your own systems may [and often does] violate any warranty for that product).

但是，嘗試對您不擁有的系統進行黑客入侵在您的管轄范圍內可能是非法的(加上對您自己的系統進行黑客攻擊可能[并且經常]違反該產品的任何保證)。

This article assumes some level of knowledge of hashing functions and basic password cracking techniques - if you don't understand those topics, check out these articles.

本文假設您對散列函數和基本的密碼破解技術有所了解-如果您不理解這些主題，請查閱這些文章。

So, you've obtained a set of hashed passwords. Brute forcing the hash will take a very long time. How can you speed up this process?

因此，您已經獲得了一組哈希密碼。暴力破解哈希將花費很長時間。您如何加快這一過程？

等等，我以為哈希函數是單向的！您如何破解哈希函數？ (Wait, I thought hash functions were one-way! How do you crack hash functions? )

Unfortunately, the hashing functions which are used for hashing passwords aren't always as secure as generally approved hash functions. For example, the hashing function used for old Windows devices is known as LM Hash, which is so weak that it can be cracked in a few seconds.

不幸的是，用于哈希密碼的哈希函數并不總是像一般認可的哈希函數那樣安全。例如，用于舊Windows設備的哈希函數稱為LM哈希，它非常弱，可以在幾秒鐘內被破解。

Also, you don't need to reverse engineer the hash. Instead, you can use a pre-computed set of plaintext passwords and the corresponding hash value (<password>, <hash>). This tells a hacker what plaintext value produces a specific hash.

另外，您不需要對哈希進行反向工程。而是可以使用一組預先計算的純文本密碼和相應的哈希值(<password>，<hash>)。這告訴黑客什么純文本值會產生特定的哈希。

With this you'll know what plaintext value produces the hash you're looking for. When you enter a password the computer will hash this value and compare it to the stored value (where it will match) and you'll be able to authenticate. Thus, you don't actually need to guess someone's password, just a value which will create the same hash.

有了它，您將知道什么純文本值會生成您要查找的哈希。輸入密碼后，計算機將對該值進行哈希處理并將其與存儲的值(匹配的值)進行比較，然后您便可以進行身份??驗證。因此，您實際上不需要猜測某個人的密碼，只需猜測一個將創建相同哈希值的值即可。

This is called a collision. Essentially, as a hash can take data of any length or content, there are unlimited possibilities for data which can be hashed.

這稱為碰撞。本質上，由于散列可以獲取任何長度或內容的數據，因此可以散列數據的可能性是無限的。

Since a hash converts this text into a fixed length content (for example, 32 characters), there are a finite number of combinations for a hash. It is a very very large number of possibilities, but not an infinite one.

由于哈希將文本轉換為固定長度的內容(例如32個字符)，因此哈希的組合數量有限。這是非常眾多的可能性，但不是無限的。

Eventually two different sets of data will yield the same hash value.

最終，兩組不同的數據將產生相同的哈希值。

Precomputed tables are very helpful in achieving this, as they save significant time and computing power. Using a pre-computed set of hashes to look up a password hash is called a 'lookup-table attack'. These tables are used by system administrators to test the strength of their users' passwords, and are often available online or for purchase. However, they can also be used by nefarious hackers.

預先計算的表對于實現此目標非常有幫助，因為它們可以節省大量時間和計算能力。使用一組預先計算的哈希表來查找密碼哈希稱為“查找表攻擊”。系統管理員使用這些表來測試其用戶密碼的強度，并且通常可以在線購買或購買。但是，邪惡的黑客也可以使用它們。

If a password is insecure (let's say someone uses a password 5 characters long), it can be relatively easily cracked. For example, a password of 5 lowercase characters can only be used to create 11,881,376 different passwords (26^5).

如果密碼不安全(例如，某人使用5個字符長的密碼)，則可以相對容易地破解它。例如，5個小寫字符的密碼只能用于創建11,881,376個不同的密碼(26 ^ 5)。

For a hash of this password, even if the hash is cryptographically secure (uses an appropriate algorithm), it would still be very easy to compute all possible passwords and their corresponding hashes. Lookup tables work very well for these types of password hashes.

對于此密碼的散列，即使該散列在密碼上是安全的(使用適當的算法)，也將非常容易計算所有可能的密碼及其對應的哈希。查找表對于這些類型的密碼哈希非常有效。

However, as passwords increase in length, the storage (and therefore storage cost) you need for every possible password and the corresponding hash grows exponentially.

但是，隨著密碼長度的增加，每個可能的密碼所需的存儲空間(以及因此的存儲成本)和相應的哈希值呈指數增長。

For example if the password you're trying to crack is 8 characters long but uses numbers (10 digits), lowercase letters (26), uppercase letters (26), and some special characters (10), the number of possible passwords jumps to 722,204,136,308,736 - which is A LOT of storage space, when you realize each is hashed with a hashing function like SHA-256.

例如，如果您嘗試破解的密碼長8個字符，但使用數字(10位數字)，小寫字母(26)，大寫字母(26)和某些特殊字符(10)，則可能的密碼數跳至722,204,136,308,736-這是很多存儲空間，當您意識到每個對象都使用SHA-256之類的哈希函數進行哈希處理時。

Rainbow tables address this issue by offering reduced storage needs, but they take more time to compute the potential passwords. At the most basic level, these are essentially pre-computed lookup tables which enable you to quickly find the plaintext which matches the hash you have. If the hash and plaintext are contained in the table you have - similar to dictionary attacks - you're only looking to see if the password is contained in the table you have. If it isn't, you won't be able to crack the password. You can find these online for free or for purchase.

Rainbow表通過減少存儲需求來解決此問題，但是它們花費更多的時間來計算潛在的密碼。在最基本的級別上，這些本質上是預先計算的查找表，使您可以快速查找與您的哈希匹配的純文本。如果哈希表和明文包含在您的表中-類似于字典攻擊-您只是在查看密碼是否包含在您的表中。如果不是，您將無法破解密碼。您可以免費在線購買或購買這些產品。

Check out this article for a tutorial on creating your own rainbow tables.

請查看本文，以獲取有關創建自己的彩虹表的教程。

我還是很感興趣彩虹桌如何運作？ (I'm still interested. How do rainbow tables work? )

If you want to skip the detailed explanation of how these work, feel free to scroll down to the 'How to protect against these attacks' section.

如果您想跳過有關它們如何工作的詳細說明，請隨時向下滾動至“如何防范這些攻擊”部分。

In order to save yourself from hashing and storing each possible plaintext until you find the hash you need (like a lookup table), you hash each plaintext and store the result in a table to look up later without having to regenerate them. This takes longer, but saves memory.

為了使自己免于散列和存儲每個可能的純文本，直到找到所需的哈希(如查找表)為止，您對每個純文本進行哈希處理并將結果存儲在表中，以便以后查找而不必重新生成它們。這需要更長的時間，但可以節省內存。

To generate the table, you create 'chains' of hashes and plaintext using a hashing function and a reduction function. A reduction function just creates plaintext from a hash (it doesn't reverse engineer the hash, but rather creates different plaintext from the hash). It is also a one-way function.

要生成表，您可以使用哈希函數和歸約函數創建哈希和明文的“鏈”。歸約函數僅從哈希創建純文本(它不會對哈希進行反向工程，而是從哈希創建不同的純文本)。它也是單向功能。

Thus in order to compute the table, you use one of your hashes, h1, in your reduction function, R(), in order to create the plaintext p1.

因此，為了計算表，您可以在歸約函數R()中使用哈希之一h1來創建純文本p1。

R(h1) = p1.

R(h1)= p1。

Then you use the hash function H() with p1 to create a new hash.

然后，將哈希函數H()與p1一起使用以創建新的哈希。

H(p1) = h2.

H(p1)= h2。

Using our example from before:

使用之前的示例：

If the set of plaintext is [abcdefghijklmnopqrstuvwxyz]{5} (we're looking for a rainbow table of all passwords composed of lowercase letters of length 5) and we're using MD5 (a hashing algorithm):

如果明文集為[abcdefghijklmnopqrstuvwxyz] {5}(我們正在尋找由長度為5的小寫字母組成的所有密碼的彩虹表)，則我們使用的是MD5(哈希算法)：

A hash might be ab56b4d92b40713acc5af89985d4b786 (h1). Now, we apply the reduction function, which could be as simple taking the last 5 letters in the hash.

哈希可能是ab56b4d92b40713acc5af89985d4b786(h1)。現在，我們應用歸約函數，該函數可以很簡單地獲取哈希中的最后5個字母。

R(ab56b4d92b40713acc5af89985d4b786) = cafdb

R(ab56b4d92b40713acc5af89985d4b786)= cafdb

H(cafdb) = 81a516edabf924cd0f727d329e855b1f

H(cafdb)= 81a516edabf924cd0f727d329e855b1f

他們為什么叫彩虹桌？ (Why are they called rainbow tables?)

Each column uses a different reduction function. So if each column were colored, it would be a very long, skinny rainbow. ?

每列使用不同的歸約函數。因此，如果每列都是彩色的，那將是一條很長的細彩虹。

Using different reduction functions reduces the number of chain merges (collisions) which happened frequently with hash-chains, the predecessor to rainbow tables. This essentially means that if you keep using the same reduction function, there's a chance you'll end up with two different chains which converge to the same plaintext. Using different reduction functions reduces the chance of this happening, though it isn't impossible.

使用不同的歸約函數可減少哈希表(彩虹表的前身)經常發生的鏈合并(沖突)的次數。從本質上講，這意味著如果您繼續使用相同的歸約函數，則有可能最終得到兩條不同的鏈，它們會收斂到相同的明文。盡管并非不可能，但使用不同的歸約函數可以減少這種情況的發生。

太好了，您如何創建一條鏈？ (Great, how do you create a chain?)

In order to create a chain, you're using your reduction function and hashing function (both one way) to create a 'chain' of hashes and plaintext. Each of these 'chains' would continue for k steps, and when the chain ends, will store only the first plaintext and the last hash in the chain.

為了創建鏈，您使用歸約函數和哈希函數(兩種方式)來創建散列和純文本的“鏈”。這些“鏈”中的每一個都將連續k個步驟，并且當鏈結束時，將僅存儲鏈中的第一個純文本和最后一個哈希。

So, a sample chain looks like this:

因此，示例鏈如下所示：

p1 -> h1 = H(p1) -> R1(h1) = p2 -> H(p2) = h2 -> R2(h2) = p3 -> H(p3) = h3

p1-> h1 = H(p1)-> R1(h1)= p2-> H(p2)= h2-> R2(h2)= p3-> H(p3)= h3

Each reduction function is different (represented by R1, R2, R3, etc.) A sample table of chains (each row is a chain of length 5) looks like the following. Note that this is populated with fake data just to give you an example - the hashing function isn't a hash function you would find used to hash passwords.

每個歸約函數都是不同的(用R1，R2，R3等表示)。鏈的樣本表(每行是長度為5的鏈)如下所示。請注意，這里填充了虛假數據，僅舉一個例子-哈希函數不是您會發現用來哈希密碼的哈希函數。

The reduction functions, R1 and R2 are defined as follows – R1 takes the first 3 digits of the hash, and R2 takes the last 2 letters of the hash:

約簡函數R1和R2的定義如下-R1接受哈希的前3位數字，R2接受哈希的后2個字母：

p1 -> h1 = H(p1) -> R1(h1) = p2 -> H(p2) = h2 -> R2(h2) = p3 -> H(p3) = h3

p1-> h1 = H(p1)-> R1(h1)= p2-> H(p2)= h2-> R2(h2)= p3-> H(p3)= h3

2 ?-—> ?abdu2934 ? -—> ?293 ?-—> ?83kdnif8 ?-—> ?if ?-—> ?ike83jd3

2--> abdu2934--> 293--> 83kdnif8-->如果--> ike83jd3

15 ?-—> ?dks2ne94 ?-—> ? 294 ?-—> ?ld932nd9 ?-—> ?ld ?-—> ?ldie938d

15-> dks2ne94-> 294-> ld932nd9-> ld-> ldie938d

20 ?-—> ?ld93md8d ?-—> ?938 ?-—> ?lxked93k ?-—> ?lx ?-—> ?93mdkg8d

20-> ld93md8d-> 938-> lxked93k-> lx-> 93mdkg8d

In a rainbow table, only the first starting point and the endpoint are saved to save on storage, like this:

在Rainbow表中，僅保存第一個起點和終點以保存在存儲器中，如下所示：

starting point (plaintext) endpoint, after k steps through the chain (hash)

在k遍歷鏈(哈希)之后的起點(純文本)端點

p1 ?-—> ? h1k

p1-> h1k

p2 ?-—> ? h2k

p2-> h2k

p3 ?-—> ? ? ? ? ?h3k

p3-> h3k

Then when you have a hash (h) where you don't know the plaintext (?), you'll compare it to the chains.

然后，當您有一個不知道明文(？)的哈希(h)時，會將其與鏈進行比較。

First, you'll check if the hash is in the list of final hashes (h1k, h2k, etc.). If so, you can move to step 3.
首先，您將檢查哈希是否在最終哈希(h1k，h2k等)列表中。如果是這樣，則可以轉到步驟3。
If not, you can reduce the hash to different plaintext (R1) and then hash that plaintext (using the hash function and next reduction function above) and compare it to the list of final hashes (h1k, h2k, h3k, etc.). When it matches one of the final hashes, that chain will likely contain the original hash.
如果不是，則可以將散列簡化為不同的明文(R1)，然后對該散文進行散列(使用上面的散列函數和下一個歸約函數)，并將其與最終散列表(h1k，h2k，h3k等)進行比較。當它與最終哈希之一匹配時，該鏈可能會包含原始哈希。
In order to find the original hash in the chain, take that chain's starting plaintext (so if it matches h1k, start with p1) and apply the hashing and reduction functions to move along the chain until you reach the known hash and its corresponding plaintext. This way you can move through the hashes in the chain without having them take up storage space on your machine.
為了找到鏈中的原始哈希，請采用該鏈的起始明文(因此，如果匹配h1k，則從p1開始)，并應用哈希和歸約函數沿鏈移動，直到到達已知的哈希及其對應的明文為止。這樣，您就可以遍歷鏈中的哈希，而不會占用機器上的存儲空間。

While you can't be sure that the chains will contain the hash you need, the more chains you've generated (or are referencing) the more certain you can be. Unfortunately, each chain is time-intensive to generate, and increasing the number of chains increases the time you need.

雖然不能確定鏈中是否包含所需的哈希，但是生成(或引用)的鏈越多，確定性就越高。不幸的是，每個鏈條的生成都非常耗時，并且增加鏈條數會增加您所需的時間。

您如何防御這些類型的攻擊？ (How do you defend against these types of attacks?)

First, a layered defense of all systems. If you can prevent compromise of your systems via other methods (so the attacker can't get a copy of your hashed passwords), the attacker won't be able to crack them.

首先，對所有系統進行分層防御。如果您可以通過其他方法防止系統受到損害(攻擊者無法獲得哈希密碼的副本)，則攻擊者將無法破解它們。

You can also use salting, which adds a random value to the password before encrypting it. That means that the precomputed value you've found (which matches the hash) won't work. The encrypted text is not based solely on the unencrypted text. Because the salt is different for each password, each needs to be cracked individually.

您也可以使用鹽析，在加密之前會在密碼中添加隨機值。這意味著您找到的預計算值(與哈希匹配)將不起作用。加密的文本不僅僅基于未加密的文本。由于每個密碼的符號不同，因此每個密碼都需要單獨破解。

Salting is now included in most major hash types as an option. While Windows doesn't currently use salting, they can encrypt stored hashes if you use the 'SYSKEY' tool.

現在，鹽分包含在大多數主要的哈希類型中，作為一種選擇。盡管Windows當前不使用鹽分，但如果您使用“ SYSKEY”工具，它們可以加密存儲的哈希。

You can also use 'rounds', or hashing a password multiple times. Using rounds (particularly if the number of rounds is randomly chosen for each user), makes the hacker's job harder. This is most effective when combined with salting.

您還可以使用“回合”，或多次對密碼進行哈希處理。使用回合(特別是如果為每個用戶隨機選擇回合數)，會使黑客的工作更加困難。與鹽腌結合使用時最有效。

Unfortunately, a hacker who has the hashed passwords will have also have access to the number of rounds used and the salt used (because in order to get that list they've probably compromised . The salt and number of rounds used is stored with the password hash, meaning that if the attacker has one, they also have the other. However, they won't be able to use precomputed rainbow tables available online, and will have to compute their own tables (which is extremely time consuming).

不幸的是，擁有哈希密碼的黑客也可以訪問已使用的輪數和使用的鹽(因為為了獲得他們可能已經入侵的列表。使用的鹽和輪數與密碼一起存儲哈希，這意味著如果攻擊者擁有一個，那么他們也將擁有另一個，但是，他們將無法使用在線提供的預先計算的彩虹表，而必須計算自己的表(這非常耗時)。

One other method designed to increase the difficulty of cracking the password is to use a pepper. Pepper is similar to salt, but while a salt is not secret (it's stored with the hashed password), pepper is stored separately (for example, in a configuration file) in order to prevent a hacker from accessing it. This means the pepper is secret, and its effectiveness depends on this.

旨在增加破解密碼難度的另一種方法是使用胡椒。 Pepper與鹽類似，但是鹽不是秘密的(使用哈希密碼存儲)，但是胡椒被單獨存儲(例如，在配置文件中)，以防止黑客訪問它。這意味著胡椒是秘密的，其有效性取決于此。

Pepper needs to be different for each application it is used for, and should be long enough to be secure. At least 112 bits is recommended by the National Institute of Standards and Technology.

Pepper需要針對每種應用程序而有所不同，并且應足夠長以確保安全。美國國家標準技術研究院建議至少使用112位。

While using a pepper can be effective in some cases, there are some downsides. First, no current algorithm supports peppers, which means practically, this is impossible to implement at scale. That is, unless you're creating your own algorithms. Listen to Bruce Schneier. Don't do that.

雖然在某些情況下使用胡椒粉可能有效，但也有一些缺點。首先，當前沒有算法支持Pepper，這實際上意味著不可能大規模實現。也就是說，除非您要創建自己的算法。聽Bruce Schneier的話。 不要那樣做

For a longer article on the problems with peppers, check out this thread.

有關胡椒問題的更長篇文章，請查看此主題。

Finally, use strong (at least 12 character), complex passwords, and implement strong password policies across all systems. This can include forcing users to create strong passwords, testing their strength regularly, using password managers on an enterprise level, enforcing use of 2FA, and so on.

最后，使用強密碼(至少12個字符)，復雜的密碼，并在所有系統上實施強密碼策略。這可以包括強制用戶創建強密碼，定期測試其強度，在企業級別上使用密碼管理器，強制使用2FA等。

Confused about what makes a strong password?

對什么使強密碼感到困惑？

被黑客入侵似乎很容易。我應該擔心嗎？ (It seems really easy to get hacked. Should I be concerned? )

The most important thing to remember about hacking is that no one wants to do more work than they have to do. For example, calculating rainbow tables is a lot of work. If there's an easier way to get your password, that's probably what a nefarious actor will try first (like phishing!).

關于黑客，要記住的最重要的事情是，沒有人愿意做比他們需要做的更多的工作。例如，計算彩虹表是很多工作。如果有一種更簡單的方式來獲取密碼，那可能是一個邪惡的演員首先嘗試的方式(例如網絡釣魚！)。

That means that enabling basic cyber security best practices is probably the easiest way to prevent getting hacked. In fact, Microsoft recently reported that just enabling 2FA will end up blocking 99.9% of automated attacks.

這意味著啟用基本的網絡安全最佳實踐可能是防止被黑客入侵的最簡單方法。實際上，微軟最近報告說，僅啟用2FA最終將阻止99.9％的自動攻擊。