User login hash of YII2 and its verification analysis

Use the GII to generate several methods of the model generation for the user table to parse:

Random number generation

protected function Generatesalt ($cost =)    {        $cost = (int) $cost;        if ($cost < 4 | | $cost >) {            throw new invalidparamexception (' cost must is between 4 and. ');        }        $rand = $this->generaterandomkey (a);        $salt = sprintf ("$2y$%02d$", $cost);        $salt. = Str_replace (' + ', '. ', substr (Base64_encode ($rand), 0,));        return $salt;    }

(1), Generate random number: $rand = $this->generaterandomkey (20);

(2), add the prefix: $salt = sprintf ("$2y$%02d$", $cost); $cost = 13 o'clock The default prefix is $2y$13$

(3), the $rand is encrypted with Base64, take the first 22 bits, and replace the + with., and the last prefix to return

Principle, the use of Blowfish standard encryption to generate 60-character hash, the maximum length of the salt (personal understanding, salt maximum length should be between 21 to 22 characters), the hash as a salt and plaintext password encryption can produce the same result; the password is up to 74 characters, The redaction is the same as 74 characters;

SetPassword () Method:

2, ValidatePassword ($password) method

The method calls Yii2/base/security's Validpassword () method,

The Validpassword () method in security encrypts the password entered by the user with the hash value in the database

$test = Crypt ($password, $hash);
$n = strlen ($test);
if ($n!== 60) {
return false;
}
return $this->comparestring ($test, $hash);

The result of the comparestring ($test, $hash) method is then returned

CompareString Method:

        Add an end tag to prevent the Mb_strlen () function from finding the end tag        $expected. = "n";        $actual. = "n";        Call the Mb_strlen ($string, ' 8bit ') function to get the string length by bit        $expectedLength = stringhelper::bytelength ($expected);        $actualLength = Stringhelper::bytelength ($actual);        Get the length difference        $diff = $expectedLength-$actualLength;        The loop compares the ASCII values of each bit equal (the ciphertext hash is preceded by a bitwise and of the encrypted string of the user's input, followed by the diff bitwise OR, returning the result) for       ($i = 0; $i < $actualLength; $i + +) {            $ Diff |= (Ord ($actual [$i]) ^ ord ($expected [$i% $expectedLength]));        }        return $diff = = = 0;

Related functions used:

Ord ():

Returns the ASCII value of the first character of a string

Crypt (Str,salt):

STR: Required. Specifies the string to encode.

Salt: Optional. Used to increase the number of characters encoded in a string to make the encoding more secure. If the salt parameter is not provided, one is randomly generated each time the function is called.

Mb_strlen ():

Gets the length of the string, and the second argument is a character encoding. If omitted, the internal character encoding is used.

PHP Correlation Bitwise operators:

$a & $b and (bitwise AND) will set the 1 bit in the $a and $b to 1.

$a | $b or (bitwise OR) sets any bit in the $a and the $b to 1 to 1.

$a ^ $b Xor (Bitwise XOR) sets the $a and $b one to 1 and the other 0 to 1.

~ $a not (bitwise negate) sets the bit in the $a to 0 and vice versa.

$a << $b Shift left moves the bits in the $a $b times (each move represents "multiplied by 2").

$a >> $b Shift right shifts the bits in the $a to the right $b times (each move represents "divided by 2").

User login hash of YII2 and its verification analysis