关于网易密码的疑问

f^n （密码加盐）， f^n （ x ）是 scrypt 等密钥生成函数多次（数千）迭代

@honeycomb 我的问题就是，这脱裤拿到数据是怎么拿到的？按理说加了密的密码是没法用来撞库的啊。

@shyrock 应该是很早就被脱下来的库，洗了 N 多轮才被放出来

@fengxing 问题是如果加密存储，就算拿到了库，密码是怎么被解出来的？

@shyrock 那些裤应该是没有按照标准要求加密密码

这里有一个 Android 全盘加密的标准：

https://source.android.com/security/encryption/

“ Generate random 16-byte disk encryption key (DEK) and 16-byte salt.
Apply scrypt to the user password and the salt to produce 32-byte intermediate key 1 (IK1).
Pad IK1 with zero bytes to the size of the hardware-bound private key (HBK). Specifically, we pad as: 00 || IK1 || 00..00; one zero byte, 32 IK1 bytes, 223 zero bytes.
Sign padded IK1 with HBK to produce 256-byte IK2.
Apply scrypt to IK2 and salt (same salt as step 2) to produce 32-byte IK3.
Use the first 16 bytes of IK3 as KEK and the last 16 bytes as IV.
Encrypt DEK with AES_CBC, with key KEK, and initialization vector IV.”