-----------------
注:
这一章2节都比较简单,实际上Rust的加密库相当完备, 作为如今区块链生态里面最重量级的编程语言, rust有许多加密和解密库可用, 当然本章介绍的Ring 是其中比较知名的一个, 这里是http://crate.io 上密码学相关crate的分类目录:
Cryptographycrates.io有需要者可以自行取用。
--------------------
用PBKDF2 salt 并哈希加密密码
使用 ring::pbkdf2
的PBKDF2密钥派生函数 pbkdf2::derive
对加盐(salted )的密码进行哈希(hash )处理。用 pbkdf2::verify
验证哈希是否正确。 由 SecureRandom::fill
生成盐,该方式使用安全生成的随机数填充盐字节数组(salt byte array )。
extern crate ring;
extern crate data_encoding;
use data_encoding::HEXUPPER;
use ring::error::Unspecified;
use ring::rand::SecureRandom;
use ring::{digest, pbkdf2, rand};
use std::num::NonZeroU32;
fn main() -> Result<(), Unspecified> {
const CREDENTIAL_LEN: usize = digest::SHA512_OUTPUT_LEN;
let n_iter = NonZeroU32::new(100_000).unwrap();
let rng = rand::SystemRandom::new();
let mut salt = [0u8; CREDENTIAL_LEN];
rng.fill(&mut salt)?;
let password = "Guess Me If You Can!";
let mut pbkdf2_hash = [0u8; CREDENTIAL_LEN];
pbkdf2::derive(
pbkdf2::PBKDF2_HMAC_SHA512,
n_iter,
&salt,
password.as_bytes(),
&mut pbkdf2_hash,
);
println!("Salt: {}", HEXUPPER.encode(&salt));
println!("PBKDF2 hash: {}", HEXUPPER.encode(&pbkdf2_hash));
let should_succeed = pbkdf2::verify(
pbkdf2::PBKDF2_HMAC_SHA512,
n_iter,
&salt,
password.as_bytes(),
&pbkdf2_hash,
);
let wrong_password = "Definitely not the correct password";
let should_fail = pbkdf2::verify(
pbkdf2::PBKDF2_HMAC_SHA512,
n_iter,
&salt,
wrong_password.as_bytes(),
&pbkdf2_hash,
);
assert!(should_succeed.is_ok());
assert!(!should_fail.is_ok());
Ok(())
}