A simple method of MD5 and salt encryption (to prevent rainbow table collision)

Source: Internet
Author: User
Tags md5 encryption md5 hash

MD5 encryption (or digest algorithm) Everyone is familiar with it, and it doesn't explain.

Now a lot of database design like to use one-way encryption to save the password, verify that the password is encrypted once again to do a ciphertext comparison

        <summary> using MD5 to encrypt///        </summary>/        <param name= "Input" > Encrypted string </param>//        <remarks>2015.08.26</remarks> public        static Guid ToMD5 (string input)        {            using (var Md5provider = new MD5CryptoServiceProvider ())            {                var bytes = Encoding.UTF8.GetBytes (input);                var hash = md5provider.computehash (bytes);                var count = hash. Length;                Hash[0] = (byte) (Hash[3] + (hash[3] = hash[0]) * 0); Exchange 0,3 value                hash[1] = (byte) (hash[2] + (hash[2] = hash[1]) * 0);//Interchange value                hash[5] = (byte) (Hash[4] + (hash[4] = h ASH[5]) * 0); Exchange 4,5 value                hash[7] = (byte) (Hash[6] + (hash[6] = hash[7]) * 0);//Exchange 6,7 value                return new Guid (hash);}        }

  

This design was originally designed to prevent hackers from being Bauku directly to the user's password, since it is one-way encryption, so even if you know the encryption algorithm does not get the user's actual password

But the so-called however persuasive outsmart, after the appearance of the Rainbow table, simple MD5 is not safe

The following excerpt from Baidu Encyclopedia:

A rainbow table is a pre-computed table used to encrypt the inverse of a hash function, often used to crack encrypted cryptographic hashes. The general mainstream of the rainbow table is above 100G. A lookup table is often used for encryption that contains a fixed-length, plain-text password with limited characters. This is a typical practice of space-for-time, with less computing power and more storage space for every brute-force hack attempted, but less storage space and more computational performance than a single hash table for each input. Using the salt-added KDF function makes this attack difficult to implement.

In a nutshell, an attacker would encrypt a simple password (123456,111111,888888, etc.) in advance MD5 encryption to obtain ciphertext (such as 123456->e10adc3949ba59abbe56e057f20f883e), And then use the data from this table to compare the ciphertext of the database that was being violently

This simple MD5 is easy to get.

So then there were 2 times md5 ... N times MD5, of course this is also the egg ...

So later there was added salt encryption,

Simply put: For example, the login name is BLQW, password 123456, then the database ciphertext is MD5 (123456+BLQW), this can ensure that even if the user's password is the same, but the cipher is different, so the rainbow table on the rest of the dish

There are many ways to add salt, one is MD5 (password + login name), this way is possible in most cases

But when the login name is modified, the ciphertext will also be modified, but this time you do not know what the original password is .... (Although the general login name can not be modified, but the product Wang's idea who knows it ...)

Or someone chooses to build a field to store the obfuscation code, but it's still a hassle.

All right, so much for the following talk about today's theme, a relatively simple way to add salt

        public static Guid ToRandomMD5 (string input) {using (var Md5provider = new Md5cryptoserviceprov Ider ()) {//Gets a random number within 256 to serve as a "salt" var salt = (byte) math.abs (new object).                GetHashCode ()% 256);                Input + = salt;                var bytes = Encoding.UTF8.GetBytes (input);                var hash = md5provider.computehash (bytes);                Hash[0] = salt;            return new Guid (hash); }} public static bool EqualsRandomMD5 (string input, Guid rmd5) {var arr = rmd5.            Tobytearray ();            Take the salt out of var salt = arr[0];                using (var md5provider = new MD5CryptoServiceProvider ()) {input + = salt;                var bytes = Encoding.UTF8.GetBytes (input);                var hash = md5provider.computehash (bytes);      for (int i = 1; i < i++) {if (Hash[i]! = Arr[i])              {return false;            }} return true; }        }

  

The simple thing is to put the salt in the cipher. MD5 hash is completed after a 16-length byte and byte can save 0~255 integer, so in the example, the random salt is 0~255 number

Then MD5 (clear text + salt) and then save the salt to the byte[0] position

So each hash after the ciphertext are different but still can be directly ciphertext comparison, here is a point, think 255 not enough can add a

Of course, it can be placed directly on the 1~15 index.

Of course, you can take the index 15 byte to 15 and then get 0~14 and then put it in ....

A simple method of MD5 and salt encryption (to prevent rainbow table collision)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.