UCenter cryptographic algorithm research and generation method decryption

KANG Sheng's series of products, including Discuz, UCHome, and Supesite, all integrate a unified user system UCenter. The user login password is also kept in the UCenter, for other systems to integrate or export data to the UCenter system, we usually encounter the question of password generation. Here we will discuss the UCenter user password algorithm rules and generation methods. Password is usually used

KANG Sheng's series of products, including Discuz, UCHome, and Supesite, all integrate a unified user system-UCenter. The user logon password is also kept in the UCenter, for other systems to integrate or export data to the UCenter system, we usually encounter the question of password generation. Here we will discuss the UCenter user password algorithm rules and generation methods.

The password usually uses MD5 to HASH the user's password and is retained in the database. If the hacker obtains this HASH value, he can use the dictionary to crack it. If the dictionary database is large enough, in addition, if the dictionary conforms to people's setting habits, it is easy to crack common passwords. Therefore, the UCenter uses salt to prevent such brute force cracking. salt is a random string, it is connected to the password, and then operated by a unidirectional function. Then, the result of each one-way function operation of the salt value is stored in the database. If the number of possible salt values is large enough, it actually eliminates the dictionary attacks for common passwords, because it is impossible for hackers to store the HASH values after the combination of so many salts and user passwords in the database.

The Founder password of UCenter is kept in the file. Open/data/config. I under uc.Nc.PhpIn the file, UC_FOUNDERPW retains the PASSWORD, while UC_FOUNDERSALT retains the SALT value. The founder's PASSWORD creation rule is: UC_FOUNDERPW = md5 (md5 (PASSWORD ). UC_FOUNDERSALT) is to first encrypt the password MD5, then add the salt, and then MD5 again, the generated HASH value is kept in config. inc. in the PHP file, modify the value in UC_FOUNDERPW to change the founder password of UCenter.

UCenter user information is retained in the uc_members table. In this table, each user has a different random salt field. The password field in the table is the calculated password, the password calculation rule is $ password = md5 (md5 ($ password ). $ salt), that is, after the user's password is MD5, add the salt, then MD5, and keep it in the password field.

Therefore, if data conversion is performed for different systems, the user names and passwords of other systems can be calculated based on this principle and then imported into the uc_members table of UCenter for user migration. For example, if the original system uses an algorithm such as md5 (password) to retain the password, then the program will generate a random salt and calculate the md5 after the two are accumulated, in this way, the user password HASH value in the UCenter can be easily calculated to achieve seamless user migration.

However, if the original system uses the password retained in the md5 (password + salt) method, the password cannot be smoothly migrated to the UCenter, you can only manually add a salt to the UCenter password. Therefore, when designing the system user password, we should try to use md5 (md5 (password) + salt) in this way, you can easily implement and UCenter interfaces, and ensure security. Generally, for an English user name, it is easy to use username in a self-built system for salt.