📅 最后修改于: 2023-12-03 15:29:46.241000 🧑 作者: Mango
SHA512 is a hashing function that is commonly used for secure password storage. When storing passwords, it is important to add a salt value to the password hash to prevent attackers from using precomputed hash tables to reverse engineer passwords. This article will demonstrate how to use C# to implement SHA512 hashing with salt.
Before we start, it is best practice to generate a unique salt value per user. The salt value should be a random string of characters with a length of at least 16 bytes. Here is an example of how to generate a random salt value in C#:
byte[] salt = new byte[16];
using (var rng = new RNGCryptoServiceProvider())
{
rng.GetBytes(salt);
}
Once we have the salt value, we can hash the password using the SHA512 hashing function. Here is an example of how to generate a SHA512 hash with salt in C#:
string password = "MyPassword";
byte[] Salt = new byte[16];
using (var rng = new RNGCryptoServiceProvider())
{
rng.GetBytes(Salt);
}
byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
byte[] saltedPasswordBytes = new byte[passwordBytes.Length + Salt.Length];
Array.Copy(passwordBytes, saltedPasswordBytes, passwordBytes.Length);
Array.Copy(Salt, 0, saltedPasswordBytes, passwordBytes.Length, Salt.Length);
byte[] hashedBytes = new SHA512Managed().ComputeHash(saltedPasswordBytes);
string hashedPassword = Convert.ToBase64String(hashedBytes);
In the code above, we first generate a salt value using the RNGCryptoServiceProvider class. Then we convert the password string and salt value into byte arrays. We concatenate the two byte arrays into one, adding the salt value to the end of the password byte array. Finally, we compute the SHA512 hash of the concatenated byte array using the SHA512Managed class and convert the resulting hash bytes to a base64-encoded string.
When a user logs in, we need to check whether the password they entered matches the hashed password in the database. Here is an example of how to check a password using the SHA512 hash with salt in C#:
string password = "MyPassword";
string hashedPasswordFromDatabase = "m15cg+8cNKwOe+7zMCJpBPaVSc8KbW9EXV7WDuLavF2V7YIfKTWQ2vD5hS0Jxs5R8aRH+9XvK3qgl4L4ftFMg==";
byte[] hashedBytesFromDatabase = Convert.FromBase64String(hashedPasswordFromDatabase);
byte[] SaltFromDatabase = new byte[16];
Array.Copy(hashedBytesFromDatabase, hashedBytesFromDatabase.Length - SaltFromDatabase.Length, SaltFromDatabase, 0, SaltFromDatabase.Length);
byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
byte[] saltedPasswordBytes = new byte[passwordBytes.Length + SaltFromDatabase.Length];
Array.Copy(passwordBytes, saltedPasswordBytes, passwordBytes.Length);
Array.Copy(SaltFromDatabase, 0, saltedPasswordBytes, passwordBytes.Length, SaltFromDatabase.Length);
byte[] hashedBytes = new SHA512Managed().ComputeHash(saltedPasswordBytes);
string hashedPassword = Convert.ToBase64String(hashedBytes);
if (hashedPasswordFromDatabase == hashedPassword)
{
Console.WriteLine("Password is correct.");
}
else
{
Console.WriteLine("Password is incorrect.");
}
In the code above, we first retrieve the hashed password and salt value from the database. We then concatenate the password string and salt value into a byte array, using the salt value from the database. Finally, we compute the SHA512 hash of the concatenated byte array and compare it to the hashed password from the database.
In this article, we have demonstrated how to use C# to implement SHA512 hashing with salt. Remember to generate a unique salt value per user and store it along with the hashed password in the database. This will prevent attackers from using precomputed hash tables to reverse engineer passwords.