- Usawoti uwuchungechunge olungahleliwe olungezwa kuphasiwedi ngaphambi kwe-hashi ukuze kuzuzwe ama-hashes ahlukile ngomsebenzisi ngamunye.
- Linux Igcina i-hashi, usawoti kanye ne-algorithm ku-/etc/shadow, iqinisa ukuphepha ekuhlaselweni kwesichazamazwi namathebula othingo.
- Izenzo ezinhle zidinga usawoti omude, ongahleliwe, nohlukile, kanye nama-hash algorithms aqinile kanye yolwazi ivikelwe kahle.
- I-password salting kufanele ihlanganiswe nezinqubomgomo zokuphepha ezibanzi ezihlanganisa amagama ayimfihlo aqinile, i-MFA, nabaphathi bephasiwedi.
Uma usebenza nezinhlelo ze-GNU/Linux noma ukhathazekile ngokuvikeleka kwama-akhawunti akho, mhlawumbe uke wezwa ngakho. usawoti ku-hashi yephasiwediIngenye yaleyo miqondo eshiwo kakhulu, kodwa ngokuvamile iwuhhafu kuphela eqondwayo: izwakala njengobuchwepheshe, kodwa empeleni yenza umehluko phakathi kwesistimu okulula ukunqamuka naleyo ekwazi ukumelana nokuhlaselwa.
Ngamafuphi, usawoti u-a isici esibalulekile sokwenza ama-hashi ephasiwedi angalindelekiIsebenza ngokungeza idatha engahleliwe ngaphambi kokusebenzisa i-algorithm ye-hashi ukuze, noma ngabe abasebenzisi ababili banephasiwedi efanayo, umphumela ogcinwe kusizindalwazi uzohluka. Ukusuka lapho, ukuqaliswa okuqondile ku-Linux, ubudlelwano bayo ne/etc/shadow, amathuluzi afana ne-mkpasswd, kanye nemikhuba emihle yokuphepha yesimanje ingumhlaba wonke ngokwawo, esizowuhlola ngokuningiliziwe.
Uyini ngempela usawoti ku-hashi yephasiwedi?
Ku-cryptography, a usawoti (usawoti) a umucu wezinhlamvu okungahleliwe enamathiselwe kuphasiwedi yomsebenzisi ngaphambi kokufaka umsebenzi we-hash. Umgomo uwukuba i-hashi ewumphumela ihluke ngisho noma igama eliyimfihlo eliyimfihlo lifana kubasebenzisi abaningi.
Uma umsebenzisi edala noma eshintsha iphasiwedi yakhe, isistimu ikhiqiza a usawoti ongahleliweIhlanganisa nephasiwedi (ngaphambi, ngemva, noma ngefomethi ethile kuye ngohlelo) futhi isebenzisa i-algorithm ye-hashi kuleyo nhlanganisela, njengokuthi I-SHA-256 o I-SHA-512I-password ayigcinwa ku-database, kodwa kunalokho i-hash ye (iphasiwedi + usawoti), futhi ezinhlelweni eziningi usawoti ngokwawo nawo ugcinwa kanye ne-hashi.
Lolu hlelo lokusebenza lunikeza izinketho eziningi amasu okuhlasela asekelwe kuma-hashes acatshangelwe kusengaphambili, njengamathebula othingo, futhi kwenza kube nzima kakhulu ukuhlasela kwesichazamazwi nokuhlasela kwe-brute-force ngezinga elikhulu. Umhlaseli ngeke esakwazi ukuxhaphaza iqiniso lokuthi abasebenzisi abaningi babelana ngephasiwedi, ngoba ngamunye uzoba ne-hashi ehlukile.
Kubalulekile ukuqonda ukuthi usawoti awuyona imfihlo ngokwawo: Akuyona iphasiwedi noma ukhiye oyimfihloUmsebenzi wawo ukwethula ukungahleleki kanye nokuhluka kunqubo ye-hashing. Ukuvikeleka kusancike ekusebenziseni amaphasiwedi aqinile y ama-algorithms we-hash afanelekile, eklanyelwe ngokukhethekile amagama ayimfihlo (afana ne-bcrypt, scrypt, Argon2), nakuba izinhlelo eziningi ze-Linux zakudala zisebenzisa okuhlukile kwe-SHA-256 noma i-SHA-512.
Isebenza kanjani i-password salting step by step
Inqubo ye-salting ingafingqwa ochungechungeni lwezinyathelo ezilula, kodwa nge umthelela omkhulu kwezokuphepha:
Okokuqala, lapho umsebenzisi ebhalisa noma eshintsha iphasiwedi yakhe, isistimu ikhiqiza a usawoti oyingqayizivele futhi ongahleliwe kuleso siqinisekiso. Lowo sawoti uvame ukuba nobude obanele (isibonelo, amabhayithi angu-16 noma ngaphezulu) futhi utholakala kujeneretha yenombolo engahleliwe evikelekile ngokuyimfihlo.
Okulandelayo, igama-mfihlo elikhethwe umsebenzisi lihlanganiswa nalolo sawoti ukwenza a iketango eliphakathiLe nhlanganisela ingaba lula njengokuhlanganisa usawoti + iphasiwedi, noma ingaba nefomethi eyinkimbinkimbi echazwe ngohlelo lwe-hashi. Okubalulekile ukuthi umsebenzisi ngamunye ugcina enenhlanganisela ehlukile.
Khona-ke, a indlela eyodwa ye-hash algorithmUmphumela uba iyunithi yezinhlamvu ebonakala ingahleliwe, i-hashi, yobude obugxilile, ezogcinwa kusizindalwazi kanye nosawoti. Ezinhlelweni zanamuhla, kufunwa ama-algorithms akhiqizayo ukuphuma okude nokuyinkimbinkimbiLokhu kwandisa indawo yokusesha futhi kwenza ukuhlasela kwe-brute-force kubize kakhulu.
Ekugcineni, lapho umsebenzisi engena, isistimu iphinda ibuyise iphasiwedi efakiwe. usawoti ohlobene Kusukela ku-database, iphinda inqubo efanayo yokuhlanganisa kanye ne-hashing futhi iqhathanisa umphumela ne-hashi egciniwe. Uma zifana, iyazi ukuthi iphasiwedi ilungile ngaphandle kokudinga ukwazi umbhalo osobala.
Lo mshini uqinisekisa ukuthi noma ngabe isizindalwazi siputshuziwe, umhlaseli uzobona kuphela ama-hashes ngabanye ngosawoti waboEsikhundleni sesethi yama-hashi aqhathanisekayo, ukumisa ukuhlasela akuwona umlingo, kodwa kubiza kakhulu ngokwekhompiyutha.
Izinzuzo zokusebenzisa usawoti kuma-password hash
Isizathu esiyinhloko sokusebenzisa i-salting yilokho iqinisa ukuphepha kwamaphasiwedi agciniwe ngokumelene nezinhlobonhlobo zokuhlasela. Kodwa kufanelekile ukuchaza izinzuzo ezithile.
Okokuqala, i-salting ihlinzeka ukumelana nokuhlaselwa kwesichazamazwiNgaphandle kukasawoti, umhlaseli angalungisa uhlu olukhulu lwamagama ayimfihlo avamile kanye nama-hashi awo, futhi avele awaqhathanise nesizindalwazi esintshontshiwe. Ngosawoti oyingqayizivele ngomsebenzisi ngamunye, lawo ma-hashe obalwe ngaphambilini awasebenzi, ngoba inhlanganisela ngayinye yephasiwedi + kasawoti ikhiqiza inani elihlukile.
Okwesibili, ukusetshenziswa kukasawoti kuphula ukusebenza kwe- amatafula othingoLezi izizindalwazi ezibalwe ngaphambilini zama-hashes zamagama-mfihlo adumile ukusheshisa ukutakula. Futhi, njengoba umphumela uncike kusawoti othize, lawa mathebula aklanyelwe ama-hashes angenasawoti aba yize noma, okungenani, angasebenzi kahle kakhulu.
Enye inzuzo ecacile ukuthi ithuthukisa ubumfihlo uma kwenzeka kuvuzaNgisho noma isigebengu sizuza ukufinyelela kuthebula lomsebenzisi nge-hashi nosawoti walo, ngeke bakwazi ukuhlonza ngokushesha ukuthi ubani onegama eliyimfihlo njengelabanye noma baqalise kalula ukuhlasela kwabantu abaningi. I-akhawunti ngayinye idinga ukunakwa komuntu ngamunye, ngokuvamile okungenzeki ngezinga elikhulu.
Ngaphezu kwalokho, i-salting ingeza ubunkimbinkimbi brute force attackEsikhundleni sokukwazi ukuhlola iphasiwedi yekhandidethi kuwo wonke ama-hashes ngesikhathi esisodwa, umhlaseli uyaphoqeleka ukuthi acabangele usawoti womsebenzisi ngamunye, aphindaphinde isamba somsebenzi. Uma lokhu kuhlanganiswa ne-algorithm ye-hashing ehamba kancane futhi ehlukanisekayo (njenge-bcrypt noma i-Argon2), izindleko zokuhlasela zikhuphuka nakakhulu.
Okokugcina, ukwenza usawoti kuyindlela evumelana kahle nokuziphendukela kwemvelo kwezobuchwepheshe. Ngisho noma imishini yekhompyutha ithuthuka futhi kuvela ukuhlaselwa okusha, inhlanganisela yehashi eliqinile nosawoti oyingqayizivele Igcina izinga lobunzima obuphezulu futhi obuyingozi: ungakwazi ukwandisa ubude bukasawoti, uqinise i-algorithm, ukwandise izindleko zokubala, njll.
I-Linux isebenzisa kanjani i-password salting (/etc/shadow)
Ezinhlelweni ze-Linux nokunye okuhlukile kwe-*NIX, amagama ayimfihlo omsebenzisi awagcinwa ku-/etc/passwd, kodwa kufayela. / njll / isithunziLeli fayela, elifinyeleleka kuphela kumsebenzisi ophezulu, ligcina ama-hashi ephasiwedi kanye nolwazi olwengeziwe, futhi yilapho ukusetshenziswa kosawoti kanye ne-algorithm ye-hashi kubonakala ngokucacile.
Imigqa ku-/etc/shadow inesakhiwo esifana nalesi:
umsebenzisi:$id$sal$hash:additional_fields...
Uphawu $ Hlukanisa izingxenye ezahlukene. Ingxenye yokuqala emva kwegama lomsebenzisi ikhombisa uhlobo lwe-algorithm esetshenzisiwe. Ngokwesibonelo, $1 ngokuvamile imele i-MD5, $5 SHA-256 kanye $6 I-SHA-512, okuyi-algorithm evamile ekusatshalalisweni kwesimanje ngoba inikeza ukuvikeleka okukhulu kunezinhlelo ezindala ezisuselwe ku-DES noma i-MD5.
Ngemuva kokuthi isihlonzi se-algorithm sivele salbese kuthi umphumela we-hashKonke lokhu kungaphakathi kwenkundla efanayo. Uma iphasiwedi iqinisekisiwe, isistimu ifunda leso sihlonzi, usawoti, isebenzisa i-algorithm ehambisana nephasiwedi efakiwe, bese iqhathanisa i-hashi ebaliwe naleyo egciniwe.
Uma ufuna ukuhlola ngokushesha ukuthi yibaphi abasebenzisi ababhale amagama ayimfihlo nokuthi iyiphi i-algorithm esetshenziswayo, ungasebenzisa umyalo onjengokuthi grep '\$' /etc/shadowKulo mongo, uphawu lwedola ($) lusetshenziselwa ukuthola imigqa ene-hashe ngefomethi yesimanje. Uphawu kufanele lubalekelwe ngokuhlehla ngenxa yokuthi ezimisweni ezivamile lisho "ukuphela komugqa".
Ama-akhawunti angenayo iphasiwedi noma ama-akhawunti akhiyiwe ngokuvamile abonisa inani elifana naleli kuleyo nkambu. ! o * esikhundleni se-hashi enamadola, okubonisa ukuthi ayikwazi ukuqinisekiswa kusetshenziswa iphasiwedi ejwayelekile. Lesi sakhiwo senza into eyodwa icace: I-Linux ihlanganisa i-salting ibe yifomethi yayo ye isitoreji amaphasiwedi ngokwesintu.
Umehluko phakathi kwe-password hashing kanye ne-salting
Kubalulekile ukuhlukanisa ngokucacile phakathi kwemiqondo emibili ngezinye izikhathi exutshwa: hashing y usawotiI-password hashing inqubo lapho iphasiwedi iguqulwa ibe inani elingaziwa kusetshenziswa i-algorithm yendlela eyodwa. Iseva ayidingi ukwazi iphasiwedi yoqobo, kuphela ukuqinisekisa ukuthi umsebenzisi uyayazi iphasiwedi elungile ngoba ikhiqiza i-hashi efanayo.
Inkinga ukuthi uma amaphasiwedi amabili afana, i- Ihashi elingafakwanga usawoti nalo lizofanaLokhu kuvumela umhlaseli ukuthi aqhathanise futhi aqoqe abasebenzisi ngephasiwedi noma asebenzise amathebula abalwe ngaphambilini. Ngaphezu kwalokho, uma i-algorithm ye-hashi ishesha futhi yakhelwe ubuqotho bedatha (njenge-SHA-256 elula), iba sengozini enkulu yokuhlaselwa ngamandla anonya.
Ukufakwa kukasawoti emanzini kungena ngokunembile ukuxazulula lobo buthakathaka: kumayelana engeza idatha engahleliwe kuphasiwedi ngaphambi kokuyikhipha. Umphumela uba ukuthi ngisho noma abasebenzisi ababili bekhetha “i-casa” njenge-password yabo, ama-hashe ku-database azohluka ngokuphelele, ngoba omunye uzoba, ngokwesibonelo, “casa+7Ko#” kanye nomunye “casa8p?M” njengentambo yangaphambi kwe-hash.
Ngakho-ke, i-hashing ne-salting ayiqhudelani, kodwa kunalokho kuyaphelelisana. I-Hashing inikeza i impahla ye-unidirectionality kanye nokuqinisekisa kalula; usawoti uyahlinzeka okuyingqayizivele kanye nokuqina ngokumelene nokuhlaselwa okukhuluUkusetshenziswa okuvikelekile kwesitoreji sephasiwedi kuhlanganisa zombili izindlela, kusetshenziswa i-algorithm eklanyelwe le njongo, nezindleko ezilungisekayo.
Ukusebenzisa usawoti ku-Linux nge-mkpasswd
Ezindaweni ze-GNU/Linux nakwamanye amasistimu UnixIndlela ewusizo kakhulu yokuhlola i-salting iyithuluzi mkpasswdLo myalo usetshenziselwa ukukhiqiza amaphasiwedi abethelwe ngokuvikelekile, futhi ivamise ukuhlanganiswa ezinqubweni zokudala umsebenzisi, imibhalo yokuphatha, njll.
I-syntax eyisisekelo ye-mkpasswd ikuvumela ukuthi ucacise iphasiwedi ezobethelwa kanye nochungechunge lwezinketho ezifana nohlobo lwe-algorithm (isibonelo, des, md5, sha-256, sha-512) usebenzisa inketho. -mEzinhlelweni zesimanje, into ephusile ongayenza wukukhetha I-SHA-512 okungenani, noma ngezikimu eziqinile nakakhulu uma ukusabalalisa kuzisekela.
Inketho ethakazelisayo ikakhulukazi kumongo we-salting -S, evumela engeza usawoti kuphasiwedi ngaphambi kokuyibethela. Uma kungashiwongo ngesandla, i-mkpasswd ingase ikhiqize i usawoti ongahleliwe ekubulaweni ngakunyeukuze noma usebenzisa igama-mfihlo lokungena elifanayo, i-hashi ewumphumela yehlukile isikhathi ngasinye.
Lokhu kungaqinisekiswa kalula: uma ubhala ngemfihlo “password123” izikhathi ezimbalwa nge-mkpasswd, usebenzisa i-SHA-512 kanye nosawoti ongahleliwe, uzothola amahashi ahluke ngokuphelele. Kodwa-ke, uma udlula inani elifanayo likasawoti usebenzisa -S, i-hashi izohlale ifana, ngoba inhlanganisela yephasiwedi + kasawoti ayishintshi.
Ngenxa yaleli thuluzi kulula kakhulu Lungiselela amaphasiwedi abethelwe ngosawoti ukwengeza kumafayela okulungiselela, ukuphatha abasebenzisi mathupha, noma ukuhlola ukuziphatha kosawoti ngaphandle kokuhlela noma yini.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.