Introduction to MD5

We know that websites on the Internet, which are a little more comprehensive, usually require users to register first to provide
Such as emails, accounts, passwords, and other information. After you become a registered user of the website, you can enjoy some special website features.
The information or services provided by the topic, such as free e-mails, forums, and chats, must be registered by the user. For electricity
Sub-commerce websites, such as igo5 and other large e-commerce websites, must be detailed and accurate when users need to purchase products.
Registration, and this information is often very confidential information of users, such as phone, email, address, etc.
Information is a very important resource for users and websites. It cannot be disclosed at will, and there cannot be any security risks.

If we also design a website that requires user registration, we can
Create a table for storing user information in the database. This table includes at least the user account field: useraccount and user
Password Field: password. Of course, it is impossible to have only one user information table in the actual application.
Website service requirements will add some other information as appropriate to facilitate the website to provide more comprehensive services. Average, 1
User information occupies one row of the user information table, that is, a data record. When a user logs on or submits information
The program compares the information entered by the user with the information in the table. If the user account and password are correct, the description is as follows:
This user is a legal user and is not allowed to pass registration; otherwise, it is an illegal user.

However, is this safe? Does this meet the registration requirements of the website? Think about it,
Generally, we store user data directly in the database without any confidentiality measures.
If someone obtains this file, isn't it true that all the data is leaked? More importantly
If an irresponsible network manager does not require any technical means, you can view any information on the website.
User information is not encrypted in the database. for network management, it is too easy to view this information. Therefore,
To increase security, it is necessary for us to encrypt the data in the database. In this way, even if someone obtains the entire database,
If there is no decryption algorithm, you cannot view User information in the database. However, considering whether the database is secure
Previously, it was necessary for us to consider whether our data is really so important. If the data is just a simple File
There is no need to keep the data confidential. Obviously, there is no need to encrypt the data, wasting system resources and increasing program load.
If the data is private, it is necessary to encrypt it. Therefore, before considering encryption
You can select the data to be encrypted to avoid wasting system resources.

MD5 Encryption Algorithm

At this stage, we generally think there are two encryption methods: one-way encryption and two-way encryption. Two-way encryption is an encrypted computing
It encrypts plaintext data that we can directly understand into ciphertext data that we cannot directly understand.
When necessary, you can use certain algorithms to decrypt the encrypted ciphertext into plain text that can be understood previously.
. Two-way encryption is suitable for private communication. For example, when we shop online, we need to submit a credit card password to the website,
Of course, we do not want our data to be transmitted directly in plain text on the Internet, because it may be "eavesdropped" by other users.
We hope that our credit card password will be encrypted and then transmitted over the network. In this way, the website will receive our data
Then, you can use the decryption algorithm to obtain an accurate credit card account.

Only data can be encrypted. That is to say, there is no way to encrypt the data.
Decryption. Maybe we will immediately think, what is the use of such encryption? What is the role of an encryption algorithm that cannot be decrypted?
In practice, an application encrypts user information in the database. When a user creates a new account or password
The information is not directly stored in the database, but stored after an encryption. In this way, even if the information is leaked
And cannot understand the true meaning of the information immediately.

MD5 is a one-way encryption algorithm. For MD5, two features are very important. First, any
The encrypted ciphertext cannot be the same for two segments of plaintext data. The second is any segment of plaintext data. After encryption,
The results must remain unchanged. The former means that it is impossible to encrypt any two segments of plaintext to obtain the same ciphertext,
The latter means that if we encrypt specific data, the obtained ciphertext must be the same.

The md5polictoserviceprovider class is a class of the system. Security. cryptography namespace in. net.
Provides a solution specifically for MD5 one-way data encryption, which is also used to encrypt the password class in the database in this article.
Before data encryption, let's first understand the main method in the md5cytoserviceprovider class: COM
Putehash, which uses MD5 encryption to output the encrypted ciphertext data array. Now, I
Let's look at a specific example:

'Plaintext string to be encrypted
Dim strplaintext as string = "encrypt me! "

'Array used to store plaintext strings
Dim hasheddatabytes as byte ()

Dim encoder as new utf8encoding ()

'Create an md5cryptoservice instance
Dim md5hasher as new md5cryptoserviceprovider ()

'Encryption operation
Hasheddatabytes = md5hasher. computehash (encoder. getbytes (strplaintext ))

After reading the above examples, we know that the computehash method can only accept arrays as encryption objects
The ciphertext is also an array. Therefore, before encrypting a string, we must first convert these strings into an array,
This requires the getbytes method of the utf8encoding class to convert the string into an array, and the encrypted result is
Use array output.

We have a general understanding of the specific MD5 encryption implementation method above. Next, let's take a look at the actual MD5 situation in combination with the database.
.

Use MD5 to store user passwords in the database

In the previous introduction, we mentioned that websites often Store Users' account and password in an unencrypted manner.
To the database. For example, if the account uses the usercount field of varchar type, the password also uses the type varc.
The password field of Har. However, if we plan to use MD5 encryption to store the password information, we must change the password.
The Field Password type is 16 in binary format, which is not hard to understand because in the previous introduction,
We know that the encrypted output uses a binary array. Therefore, the changes must be made here.
When a user is successfully registered and an account is formally created, a record must be added to the user in the database.
. The following program code implements the function of creating an account. On the page, the program requires the user to enter the account and password.
Information, and then save the information as account information to the data table named usercount. In this table, the User Password
Is saved using MD5 encryption. The code for implementing the above page is as follows:

<% @ Import namespace = "system. Security. Cryptography" %>

<% @ Import namespace = "system. Text" %>

<% @ Import namespace = "system. Data" %>

<% @ Import namespace = "system. Data. sqlclient" %>

<SCRIPT runat = "server" Language = "VB">

Sub createaccount (sender as object, e as eventargs)

'1. Establish a database connection

Const strconnstring as string = "connection string"

Dim objconn as new sqlconnection (strconnstring)

'2. Create a command object

Dim strsql as string = _

"Insert into useraccount (username, password )"&_

"Values (@ username, @ password )"

Dim objcmd as new sqlcommand (strsql, objconn)

'3. SQL Parameters

Dim paramusername as sqlparameter

Paramusername = new sqlparameter ("@ username", sqldbtype. varchar, 25)

Paramusername. value = txtusername. Text

Objcmd. Parameters. Add (paramusername)

'Encrypt the User Password

Dim md5hasher as new md5cryptoserviceprovider ()

Dim hashedbytes as byte ()

Dim encoder as new utf8encoding ()

Hashedbytes = md5hasher. computehash (encoder. getbytes (txtpwd. Text ))

Dim parampwd as sqlparameter

Parampwd = new sqlparameter ("@ password", sqldbtype. Binary, 16)

Parampwd. value = hashedbytes

Objcmd. Parameters. Add (parampwd)

'Join the database

Objconn. open ()

Objcmd. executenonquery ()

Objconn. Close ()

End sub
</SCRIPT>

<Form runat = "server">

<H1> create an account

Username: <asp: textbox runat = "server" id = "txtusername"/>

<Br/> password:

<Asp: textbox runat = "server" id = "txtpwd" textmode = "password"/>

<P> <asp: button runat = "server" text = "create user account"

Onclick = "createaccount"/> </P>

</Form>

On the above program implementation page, the "user name" and "password" input boxes require users to enter their own accounts and passwords
After entering your information, you can click "create user account" to create an account and store the account
Database. We also need to pay special attention to the fact that the above programs use MD5 encryption and database functions
At the beginning of the code, we introduced a few special namespaces, which are indispensable.
We can see that the information of the password field is saved in binary mode, even if the database is acquired
You may know what the password means. Of course, the password will not be disclosed.

Use MD5 to identify legal users

Since the user password is stored in the database after MD5 encryption, we know that MD5 is a single encryption algorithm,
Therefore, it is impossible to convert encrypted information into plain text, that is, there is no way to know. This leads to a question.
Question: How can I know whether the password provided by the user is accurate if the user logs on using the account and password?
This has to mention the MD5 feature we mentioned earlier. We know that any segment of plaintext data is encrypted
The results must remain unchanged. That is to say, if you need to verify that the user password is correct, you only need
The currently provided password is encrypted using MD5, and then compared with the password field saved in the database. The following code can be used:
To achieve this function:

<% @ Import namespace = "system. Security. Cryptography" %>

<% @ Import namespace = "system. Text" %>

<% @ Import namespace = "system. Data" %>

<% @ Import namespace = "system. Data. sqlclient" %>

<SCRIPT runat = "server" Language = "VB">

Sub login (sender as object, e as eventargs)

'1. Establish a database connection

Const strconnstring as string = "connection string"

Dim objconn as new sqlconnection (strconnstring)

'2. Create a command object

Dim strsql as string = "select count (*) from useraccount "&_

"Where username = @ username and password = @ password"

Dim objcmd as new sqlcommand (strsql, objconn)

'3. SQL Parameters

Dim paramusername as sqlparameter

Paramusername = new sqlparameter ("@ username", sqldbtype. varchar, 25)

Paramusername. value = txtusername. Text

Objcmd. Parameters. Add (paramusername)

'Encrypt password information

Dim md5hasher as new md5cryptoserviceprovider ()

Dim hasheddatabytes as byte ()

Dim encoder as new utf8encoding ()

Hasheddatabytes = md5hasher. computehash (encoder. getbytes (txtpwd. Text ))

Dim parampwd as sqlparameter

Parampwd = new sqlparameter ("@ password", sqldbtype. Binary, 16)

Parampwd. value = hasheddatabytes

Objcmd. Parameters. Add (parampwd)

Objconn. open ()

Dim iresults as integer = objcmd. executescalar ()

Objconn. Close ()

If iresults = 1 then

'?

Else

'Error

End if

End sub

</SCRIPT>

<Form runat = "server">

<H1> login

User Account: <asp: textbox runat = "server" id = "txtusername"/>

<Br/> password:

<Asp: textbox runat = "server" id = "txtpwd" textmode = "password"/>

<P> <asp: button runat = "server" text = "login" onclick = "login"/>

</Form>

 

Restrictions on saving passwords to databases using encryption

Before deciding whether to use encryption to save the password, we still need to consider some issues. Because MD5 is encrypted at a time
The encrypted information cannot be decrypted. Therefore, if the user loses the password, it is difficult for anyone to find the original
At this time, the website also loses a very important function, that is, the user provides other information to obtain
This is a major defect of the website. In addition, this encryption method is required
It is also difficult to completely modify the previous user information and require the user to register again.

Summary

We have introduced in detail the implementation of MD5 encryption for user passwords. At the same time, we have also introduced the use of encrypted passwords
The implementation of user authentication. The application restrictions on using this encryption method are also discussed. In practical application, we can
To better suit our application needs.