一、参数与存储格式type HashMeta = { algo: 'pbkdf2'; hash: string; salt: string; iterations: number; pepperId?: string }
二、哈希生成与验证import crypto from 'crypto'
function genSalt(len = 16): Buffer { return crypto.randomBytes(len) }
function pbkdf2Hash(password: string, salt: Buffer, iterations: number, pepper?: Buffer): Buffer {
const data = pepper ? Buffer.concat([Buffer.from(password, 'utf8'), pepper]) : Buffer.from(password, 'utf8')
return crypto.pbkdf2Sync(data, salt, iterations, 32, 'sha256')
}
function createHash(password: string, iterations: number, pepperId?: string, pepper?: Buffer): HashMeta {
const salt = genSalt()
const h = pbkdf2Hash(password, salt, iterations, pepper)
return { algo: 'pbkdf2', hash: h.toString('base64'), salt: salt.toString('base64'), iterations, pepperId }
}
function verifyHash(password: string, meta: HashMeta, pepper?: Buffer): boolean {
const salt = Buffer.from(meta.salt, 'base64')
const h = pbkdf2Hash(password, salt, meta.iterations, pepper)
return h.toString('base64') === meta.hash
}
三、参数校验与旋转function paramsStrong(meta: HashMeta): boolean { return meta.iterations >= 120000 }
function rotateIfWeak(password: string, meta: HashMeta, preferredIterations: number, pepperId?: string, pepper?: Buffer): HashMeta {
if (paramsStrong(meta)) return meta
return createHash(password, preferredIterations, pepperId, pepper)
}
四、存储与验收type UserRecord = { id: string; password: HashMeta }
function storeUser(id: string, meta: HashMeta): UserRecord { return { id, password: meta } }
盐长度≥16字节;迭代次数≥120000;哈希长度32字节(SHA256)。支持pepper标识与验证;弱参数登录后旋转到首选迭代。存储包含`algo/salt/hash/iterations/pepperId`;验证一致并记录审计。
发表评论 取消回复