NodeJS:bcrypt 与原生加密
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6951867/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
NodeJS: bcrypt vs native crypto
提问by fancy
Can someone point out the differences between the two and example situations where use each?
有人可以指出两者之间的区别以及使用每种情况的示例情况吗?
bcrypt looks great.
bcrypt 看起来很棒。
回答by Mike Scott
Use bcrypt where you want to do slow and computationally expensive hashing -- this will generally be for hashes where you really don't want an attacker to be able to reverse the hash, e.g. user passwords. Use native crypto for everything else.
在您想要进行缓慢且计算成本高的散列的地方使用 bcrypt —— 这通常用于您真的不希望攻击者能够反转散列的散列,例如用户密码。将本机加密用于其他一切。
回答by Igor Parra
In companion with the @mike-scott's answer, you should prefer bcryptfor password related stuff but still you can use cryptofor a wide range of tasks like create random tokens or a HMAC checksum or SHA1/MD5 hashes:
与@mike-scott 的回答一起,您应该更喜欢bcrypt密码相关的东西,但您仍然可以crypto用于广泛的任务,例如创建随机令牌或 HMAC 校验和或 SHA1/MD5 哈希:
var crypto = require('crypto');
// random tokens
var buf = crypto.randomBytes(16).toString('hex');
console.log('Random token of %d bytes in hexadecimal: %s', buf.length, buf);
var buf = crypto.randomBytes(16).toString('base64');
console.log('Random token of %d bytes in base 64: %s', buf.length, buf);
// a hashed message authentication checksum (HMAC) using a shared secret key
var string = 'My coffee please';
var key = 'Right away sir';
var encrypted = crypto.createHmac('sha1', key).update(string).digest('hex');
console.log('Encrypting "%s" using passphrase "%s": %s', string, key, encrypted);
// a MD5 hash
var hashmd5 = crypto.createHash('md5').update(string).digest('hex');
console.log('The MD5 hash of "%s" is %s', string, hashmd5);
// a SHA1 hash
var hashsha1 = crypto.createHash('sha1').update(string).digest('hex');
console.log('The SHA1 hash of "%s" is %s', string, hashsha1);
回答by Basav
I would use nodejs's native crypto library
我会使用 nodejs 的原生加密库
I think the decision should not be just based on who does what better, it is much more than that
我认为决定不应该仅仅基于谁做得更好,它远不止于此
You should know why node.js included an inbuilt module for crypto, while it was not originally part of node.js and many libraries were popular in npm repository, including bcrypt
您应该知道为什么 node.js 包含一个用于加密的内置模块,而它最初不是 node.js 的一部分,并且许多库在 npm 存储库中很受欢迎,包括 bcrypt
The reason was, cryptography is an important security aspect, using an external module from npm has the possibility of malicious code injected, which defeats original security objective
原因是,密码学是一个重要的安全方面,使用 npm 的外部模块有可能注入恶意代码,这违背了最初的安全目标
Hence need a trusted library for such cryptographic function, which was the motivation for nodejs to provide such a library
因此需要一个受信任的库来实现这种加密功能,这也是 nodejs 提供这样一个库的动机
If you think the cryptographic method is not strong, better raise issue on nodejs about same instead of blindly trusting an external library
如果您认为加密方法不强,最好在 nodejs 上提出相同的问题,而不是盲目信任外部库
Still don't believe me? read this article https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
还是不相信我?阅读这篇文章https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
