MD5 is the most commonly used password encryption algorithm in web applications. Since MD5 is irreversible, the ciphertext calculated by MD5 cannot be used to obtain the original text through the reverse algorithm.
Looking back at the original intention of using MD5 encrypted text passwords in web applications, it is to prevent passwords saved in the database from being obtained directly after being unfortunately leaked. However, attackers not only possess a huge password dictionary, but also have established many MD5 original text/ciphertext comparison databases. They can quickly find the MD5 ciphertext of commonly used passwords, which is an efficient way to decipher MD5 ciphertext. However, the MD5 ciphertext database uses the most conventional MD5 encryption algorithm: original text-->MD5-->ciphertext. Therefore, we can use the transformed MD5 algorithm and make the ready-made MD5 ciphertext database useless.
The following demonstrates some examples of transformation algorithms
Of course, in other web development languages, the same results can be obtained.
Transformation 1: Loop MD5
The easiest to understand transformation is to perform multiple MD5 operations on a password. Customize a function that accepts two formal parameters: $data and $times. The first is the password to be encrypted, and the second is the number of times to repeat encryption. There are two algorithms to achieve this transformation -
//Iterative algorithm
function md5_1_1($data, $times = 32)
{
// Loop through MD5
for ($i = 0; $i < $times; $i++) {
$data = md5($data);
}
return $data;
}
//Recursive algorithm
function md5_1_2($data, $times = 32)
{
if ($times > 0) {
$data = md5($ data);
$times--;
return md5_1_2($data, $times); //Implement recursion
} else {
return $data;
}
}
?>
Transformation 2: Ciphertext segmentation MD5
Although the user’s password is an uncertain string, after one MD5 operation, a 32-digit A string composed of characters, you can then transform this fixed-length string. A somewhat BT algorithm is to divide this ciphertext into several segments, perform an MD5 operation on each segment, and then concatenate the pile of ciphertext into a very long string, and finally perform another MD5 operation, and the result is still Ciphertext with a length of 32 bits.
//Split the cipher text into two sections, each section has 16 characters
function md5_2_1($data)
{
//Encrypt the password first Grow the ciphertext with a length of 32 characters
$data = md5($data);
//Split the password into two sections
$left = substr($data, 0, 16);
$right = substr($data, 16, 16);
//Encrypt separately and then merge
$data = md5($left).md5($right);
//Finally add long words The string is encrypted again and becomes a 32-character ciphertext
return md5($data);
}
//Split the ciphertext into 32 segments, each segment is 1 character
function md5_2_2 ($data)
{
$data = md5($data);
//Loop to intercept each character in the ciphertext and encrypt and connect
for ($i = 0; $ i < 32; $i++) {
$data .= md5($data{$i});
}
//At this time, the length of $data is 1024 characters, and another MD5 operation is performed
return md5($data);
}
?>
Of course, there are countless specific algorithms for this kind of ciphertext segmentation. For example, the original ciphertext can be segmented Into 16 segments with two characters each, 8 segments with 4 characters each, or the number of characters in each segment is unequal...
Transformation 3: Additional string interference
In one step of the encryption process, append A string with specific content (such as a username) that interferes with the encrypted data. Random strings cannot be used because this will make the original algorithm impossible to reproduce. This algorithm is very advantageous in some cases. For example, if it is used to encrypt a large number of user passwords, the user name can be used as an additional interference string. In this way, even if the attacker knows your algorithm, it will be difficult for them to obtain it. A large number of comparison tables are generated in the dictionary at once, and then a large number of user passwords are deciphered, and only a small number of users can be enumerated in a targeted manner.
//Append the string at the end of the original data
function md5_3_1($data, $append)
{
return md5($data.$append) ;
}
//Append the string to the head of the original data
function md5_3_2($data, $append)
{
return md5($append.$data);
}
//Append strings at the beginning and end of the original data
function md5_3_3($data, $append)
{
return md5($append.$data.$append ; So we can convert them all to uppercase and then perform an MD5 operation.
function md5_4($data)
{
//Get the ciphertext of the password first
$data = md5($data);
/ /Convert all English letters in the ciphertext to uppercase
$data = strtotime($data);
//Finally perform an MD5 operation and return
return md5($data);
}
?>
Transformation 5: String order interference
After reversing the order of the ciphertext string after MD5 operation, perform another MD5 operation.
function md5_5($data)
{
//Get the ciphertext of the data
$data = md5($data);
// Then reverse the character order of the ciphertext string
$data = strrev($data);
//Finally perform an MD5 operation and return
return md5($data);
}
?>
Transform six, transform seven, transform eight...
There are countless MD5 transformation algorithms, you don’t even need to create them yourself, just use the five above Combining them with each other can create a very BT algorithm. For example, first encrypt in a loop and then split it, append a string to each segment and encrypt it separately, then change the case and reverse the order of the strings, then concatenate into a long string and then perform MD5 operation...
If it is really unfortunate that the user password data is exposed due to some vulnerabilities, such as SQL Injection or the database in the file system is downloaded, then the MD5 transformation algorithm can greatly increase the difficulty of deciphering the original password. The first is to use Many MD5 original text/ciphertext comparison databases on the Internet (you know, this is the most efficient way to decipher MD5) are useless, and then the attacker uses conventional algorithms to exhaustively enumerate a series of ciphertexts obtained by the transformation algorithm. Worried. Of course, the MD5 transformation algorithm is particularly suitable for use in non-open source Web programs. Although the advantages of using it in open source programs will be weakened (everyone knows the algorithm), it can also suppress the role of the MD5 original text/cipher text comparison database. To perform these complex transformation operations, of course, more system overhead will be spent. However, for systems with strict security requirements, it is completely worth paying more in exchange for higher security.
http://www.bkjia.com/PHPjc/532414.html
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
