Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
trizen
/
perl-scripts
Obserwuj 1
Polub 0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Gałąź: master
Gałęzie Tagi
perl-scripts
/
Digest
/
brute-force_resistant_hashing.pl

brute-force_resistant_hashing.pl 3.8 KB
Bezpośredni odnośnik Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 
  1. #!/usr/bin/perl
    2. 

  2. 

  3. # Author: Trizen
    4. 

  4. # Date: 21 December 2021
    5. 

  5. # https://github.com/trizen
    6. 

  6. 

  7. # A concept for a brute-force resistant hashing method.
    8. 

  8. 

  9. # It requires a deterministic hash function, which is used in computing a
    10. 

  10. # non-deterministic brute-force resistant hash, based on the processor speed
    11. 

  11. # of the computer, taking about 2 seconds to hash a password, and about 1.5 seconds
    12. 

  12. # to verify if the hash of a password is correct, given the password and the hash.
    13. 

  13. 

  14. # The method can be made deterministic, by providing a fixed number of iterations.
    15. 

  15. # Otherwise, the method automatically computes a safe number of iterations based on hardware speed.
    16. 

  16. 

  17. # See also:
    18. 

  18. #   https://en.wikipedia.org/wiki/Bcrypt
    19. 

  19. #   https://en.wikipedia.org/wiki/Argon2
    20. 

  20. 

  21. use 5.020;
    22. 

  22. use strict;
    23. 

  23. use warnings;
    24. 

  24. 

  25. use Digest::SHA qw(sha512_hex);
    26. 

  26. use experimental qw(signatures);
    27. 

  27. 

  28. sub bfr_hash ($password, $hash_function, $iterations = undef) {
    29. 

  29. 

  30.     my $strength = 1;    # delay time in seconds
    31. 

  31. 

  32.     my $salt_hash = $hash_function->('');
    33. 

  33.     my $pass_hash = $hash_function->($password);
    34. 

  34. 

  35.     my $hash_password = sub {
    36. 

  36.         $salt_hash = $hash_function->($salt_hash);
    37. 

  37.         $pass_hash = $hash_function->($salt_hash . $pass_hash);
    38. 

  38.         #$pass_hash = $hash_function->($pass_hash . $salt_hash);
    39. 

  39.     };
    40. 

  40. 

  41.     if (defined $iterations) {
    42. 

  42.         for (1 .. $iterations) {
    43. 

  43.             $hash_password->();
    44. 

  44.         }
    45. 

  45.     }
    46. 

  46.     else {
    47. 

  47. 

  48.         $iterations = 0;
    49. 

  49. 

  50.         eval {
    51. 

  51.             local $SIG{ALRM} = sub { die "alarm\n" };
    52. 

  52.             alarm $strength;
    53. 

  53. 

  54.             while (1) {
    55. 

  55.                 $hash_password->();
    56. 

  56.                 ++$iterations;
    57. 

  57.             }
    58. 

  58. 

  59.             alarm 0;
    60. 

  60.         };
    61. 

  61. 

  62.         say "[DEBUG] Iterations: $iterations";
    63. 

  63.         return __SUB__->($password, $hash_function, $iterations);
    64. 

  64.     }
    65. 

  65. 

  66.     my $check_hash = $hash_function->($pass_hash . $salt_hash);
    67. 

  67.     return join('$', $pass_hash, $salt_hash, $check_hash);
    68. 

  68. }
    69. 

  69. 

  70. sub check_bfr_hash ($password, $bfr_hash, $hash_function) {
    71. 

  71.     my ($pass_hash, $salt_hash, $check_hash) = split(/\$/, $bfr_hash);
    72. 

  72. 

  73.     $salt_hash  // return 0;
    74. 

  74.     $pass_hash  // return 0;
    75. 

  75.     $check_hash // return 0;
    76. 

  76. 

  77.     if ($hash_function->($pass_hash . $salt_hash) ne $check_hash) {
    78. 

  78.         return 0;
    79. 

  79.     }
    80. 

  80. 

  81.     my $iterations = 0;
    82. 

  82.     my $hash       = $hash_function->('');
    83. 

  83. 

  84.     while (1) {
    85. 

  85.         $hash = $hash_function->($hash);
    86. 

  86.         ++$iterations;
    87. 

  87.         last if ($hash eq $salt_hash);
    88. 

  88.     }
    89. 

  89. 

  90.     if (bfr_hash($password, $hash_function, $iterations) eq $bfr_hash) {
    91. 

  91.         return 1;
    92. 

  92.     }
    93. 

  93. 

  94.     return 0;
    95. 

  95. }
    96. 

  96. 

  97. my $password1 = 'foo';
    98. 

  98. my $password2 = 'bar';
    99. 

  99. 

  100. my $hash1 = bfr_hash($password1, \&sha512_hex);
    101. 

  101. my $hash2 = bfr_hash($password2, \&sha512_hex);
    102. 

  102. 

  103. say qq{bfr_hash("$password1", sha512) = $hash1};
    104. 

  104. say qq{bfr_hash("$password2", sha512) = $hash2};
    105. 

  105. 

  106. say check_bfr_hash($password1, $hash1, \&sha512_hex);    #=> 1
    107. 

  107. say check_bfr_hash($password2, $hash2, \&sha512_hex);    #=> 1
    108. 

  108. say check_bfr_hash($password1, $hash2, \&sha512_hex);    #=> 0
    109. 

  109. say check_bfr_hash($password2, $hash1, \&sha512_hex);    #=> 0
    110. 

  110. 

  111. __END__
    112. 

  112. bfr_hash("foo", sha512) = d0cd2ed4ef19e55ea8d69212417e21d5723e41a716f74fea2bbc7d8e114108d1a439c763b2673c2e79ccc684b7558d42956982d6396abd6bcd99aca30b516787$a65bff3e58823c51d7a4a44bcebc8f5c8ba148e3eea81fc017ecd20eb94b5892f2112e397a48e5185ab500051ec285a0a9d104a6eed4828d04cc0661c0ea1885$03061c61439174d1a4f8f3fa73e53ff9b9480f02afa270544aaeacfc6cc08db27742f2d3721edc13a4cefabb0accbf476ef6c9596932fc81816c018e8fd6ca6e
    113. 

  113. bfr_hash("bar", sha512) = 3eefe86bfbc36d7099625a3b3ab741c373435ab873d841eccbf9db465637b0c7a7e612cbc65fda0a9333c2065d10cbcb8120a8271b932234849753f899c4c396$906e9a62689d2bc012ff83f777432a2b1235faeff01a582d1fb3eb6b5201f1bca4174a4a983b6951fb211936d2040468c2a695f7b74ad45dcb76789ef267b9a9$e5bc95297be88c0b8003c731a052968ed6c2c75fceea2844e2584fdd05ae97ffa1795dc7f73e6b9c9c7c91d294dc7f435d687221fbf945d6d590fce7f54fcf7d
    114. 

  114.