php Length sodium_crypto_pwhash_str()返回长度

Question

PHP中sodium_crypto_pwhash_str()返回的字符串有多长？它会随着明文的不同而变化吗？选项$opslimit和$memlimit？基本上，我想知道数据库字段的长度。

Answer 1

哈希密码的最大长度为crypto_pwhash_STRBYTES，长度为128个字节。

这个常量还没有在PHP绑定中公开，但我很快就会添加它。

更新:这已被添加到PECL扩展中。

Answer 2

我在sodium_crypto_pwhash_str()上运行了一些测试，但计时比较粗糙。在下面的代码中，测试1、2和3的密码分别为4、40和400个字符。这对计时或散列长度没有任何影响。测试i、m和s使用SODIUM_CRYPTO_PWHASH_*_INTERACTIVE、SODIUM_CRYPTO_PWHASH_*_MODERATE和SODIUM_CRYPTO_PWHASH_*_SENSITIVE。这分别产生了97、98和99个字符的散列。*_SENSITIVE测试花费的时间大约是*_MODERATE测试的6倍。后者花费的时间大约是*_INTERACTIVE测试的6倍。

这是我的测试代码。

$pass1 = bin2hex(openssl_random_pseudo_bytes(2));
$pass2 =  bin2hex(openssl_random_pseudo_bytes(20));
$pass3 =  bin2hex(openssl_random_pseudo_bytes(200));

$t = microtime(true);
$test1i = strlen(sodium_crypto_pwhash_str(
    $pass1,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time1i = microtime(true) - $t;

$t = microtime(true);
$test1m = strlen(sodium_crypto_pwhash_str(
    $pass1,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time1m = microtime(true) - $t;

$t = microtime(true);
$test1s = strlen(sodium_crypto_pwhash_str(
    $pass1,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time1s = microtime(true) - $t;

$t = microtime(true);
$test2i = strlen(sodium_crypto_pwhash_str(
    $pass2,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time2i = microtime(true) - $t;

$t = microtime(true);
$test2m = strlen(sodium_crypto_pwhash_str(
    $pass2,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time2m = microtime(true) - $t;

$t = microtime(true);
$test2s = strlen(sodium_crypto_pwhash_str(
    $pass2,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time2s = microtime(true) - $t;

$t = microtime(true);
$test3i = strlen(sodium_crypto_pwhash_str(
    $pass3,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time3i = microtime(true) - $t;

$t = microtime(true);
$test3m = strlen(sodium_crypto_pwhash_str(
    $pass3,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time3m = microtime(true) - $t;

$t = microtime(true);
$test3s = strlen(sodium_crypto_pwhash_str(
    $pass3,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time3s = microtime(true) - $t;

$len1 = strlen($pass1);
$len2 = strlen($pass2);
$len3 = strlen($pass3);
$pLen1 = str_repeat(' ', 3 - strlen($len1)) . $len1;
$pLen2 = str_repeat(' ', 3 - strlen($len2)) . $len2;
$pLen3 = str_repeat(' ', 3 - strlen($len3)) . $len3;

printf("Pass length: %3s" .
    '; I: %2d chars (%4.2f secs)' .
    '; M: %2d chars (%4.2f secs)' .
    '; S: %2d chars (%4.2f secs)' . PHP_EOL,
    $len1, $test1i, $time1i, $test1m, $time1m, $test1s, $time1s);

printf("Pass length: %3s" .
    '; I: %2d chars (%4.2f secs)' .
    '; M: %2d chars (%4.2f secs)' .
    '; S: %2d chars (%4.2f secs)' . PHP_EOL,
    $len2, $test2i, $time2i, $test2m, $time2m, $test2s, $time2s);

printf("Pass length: %3s" .
    '; I: %2d chars (%4.2f secs)' .
    '; M: %2d chars (%4.2f secs)' .
    '; S: %2d chars (%4.2f secs)' . PHP_EOL,
    $len3, $test3i, $time3i, $test3m, $time3m, $test3s, $time3s);

运行一次后，我得到了以下结果：

Pass length:   4; I: 97 chars (0.06 secs); M: 98 chars (0.37 secs); S: 99 chars (2.24 secs)
Pass length:  40; I: 97 chars (0.06 secs); M: 98 chars (0.36 secs); S: 99 chars (2.22 secs)
Pass length: 400; I: 97 chars (0.06 secs); M: 98 chars (0.36 secs); S: 99 chars (2.18 secs)

然而，我对经验式编码仍然不太满意。:-(