Bcrypt介绍

 

Bcrypt把算法版本、计算次数和salt都放到hash值里面去了

 

Stored in the database, a bcrypt "hash" might look something like this:

$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa

This is actually three fields, delimited by "$":

• 2a identifies the bcrypt algorithm version that was used.
• 10 is the cost factor; 2¹⁰ iterations of the key derivation function are used (which is not enough, by the way. I'd recommend a cost of 12 or more.)
• vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa is the salt and the cipher text, concatenated and encoded in a modified Base-64. The first 22 characters decode to a 16-byte value for the salt. The remaining characters are cipher text to be compared for authentication

 

bcrypt验证方式和其它加密方式不同，不是直接解密得到明文，也不是二次加密比较密文，而是把明文和存储的密文一块运算得到另一个密文，如果这两个密文相同则验证成功。

 

>>> import bcrypt
>>> s = 'hello'
>>> hash = bcrypt.hashpw(s, bcrypt.gensalt())
>>> print hash
$2a$12$1VwtpKmC77PkaoTol0HIS.Wqp24FUNHcB2OyPLPQBwVO.P3NVEwWq
>>> hash2 = bcrypt.hashpw(s, hash)
>>> hash == hash2
True

　　

 

 

 

REF:

<http://www.jianshu.com/p/5ee9d089a0dd>

<http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts>

<https://www.v2ex.com/t/73940>

 <http://www.jianshu.com/p/5ee9d089a0dd>