MD5 + salt Encryption Algorithm

For this leak, because my account (csdn) is included, I would like to say shit... At the same time, I think csdn is really a shame...

I never imagined that csdn will save the password in plain text. The website that forgot the password last time directly received the password was probably less than 10 small websites of a registered user ten years ago.

Back to the key point, we know that if the password is hashed directly, then hackers can obtain the hashed value through this password, then, hash the dictionary (for example, MD5 password cracking website) to obtain the password of a user.

Add salt can solve this problem to some extent. The so-called add salt method is to add some "condiments ". The basic idea is as follows: when a user provides a password for the first time (usually during registration), the system automatically adds "condiments" to the password and then hashes it. When a user logs on, the Code provided by the system for the user is sprinkled with the same "seasoning", and then hash, and then compare the hash value. It is determined that the password is correct.

The "seasoning" here is called the "salt value", which is randomly generated by the system and only known by the system. In this way, even if two users use the same password, their hash values are different because the system generates different salt values for them. Even if hackers can use their own passwords and their own hash values to find users with specific passwords, the probability is too small (the passwords and salt values must be the same as those used by hackers ).

The following example uses PHP to illustrate the MD5 ($ pass. $ salt) encryption function.

<? Phpfunction Hash ($ A) {$ salt = "random_kugbjvy"; // defines a salt value, a random string specified by the programmer $ B = $. $ salt; // connect the password to salt $ B = MD5 ($ B); // execute the MD5 hash return $ B; // return the hash}?>

Call method: $ new_password = hash ($ _ post [Password]); // The value submitted by the form is accepted and encrypted.

The following describes the process of adding a salt hash. I would like to emphasize one point before the introduction. As mentioned above, the "same" seasoning should be used when the password is verified and the original hash password is used. Therefore, the salt value is stored in the database.

When a user registers,

1. The user enters the [account] and [Password] (and other user information );
2. The system generates a [salt value] for the user ];
3. The system connects the salt value and the user password;
4. Hash the connected values to obtain the [hash value ];
5. Put [hash value 1] and [salt value] into the database respectively.

When a user logs on,

1. Enter the account and password ];
2. The system finds the corresponding [hash value] and [salt value] through the user name ];
3. The system connects the salt value and the password entered by the user;
4. Hash the connected values to obtain [hash value 2] (note that the values are calculated in real time );
5. Compare whether [hash value 1] and [hash value 2] are equal. If they are equal, the password is correct. Otherwise, the password is incorrect.

Sometimes, to reduce the development pressure, programmers will use a single salt value (stored somewhere) instead of generating private salt values for each user.

The above content from: http://blog.csdn.net/blade2001/article/details/6341078

The above describes the basic implementation of PHP.

Let's look at Java in detail.

(1) read the account password string name = ARGs [0]; string passwd = ARGs [1]; analysis: Read the account and password through the command line for ease of use, A graphical interface can be created in the actual program for user input. (2) generate random number (SALT) random Rand = new random (); byte [] salt = new byte [12]; Rand. nextbytes (SALT); analysis: Create a byte array salt. Use the random class in Java to generate a random number and execute the nextbytes () method of the random class. The method parameter is salt. Then, the random number can be generated and assigned to salt.

(3) generate the messagedigest object

Messagedigest M = messagedigest. getinstance ("MD5 ″);

Analysis: Execute the static getinstance () method of the messagedigest class to generate the messagedigest object. The input parameters specify the algorithm used to calculate the message digest.

(4) Input salt and byte array to be calculated

M. Update (SALT );

M. Update (passwd. getbytes ("utf8 ″));

Analysis: Pass the salt in step 1 and the password in step 2 to the update () method of the messagedigest object respectively.

(5) Calculate the message digest

Byte s [] = M. Digest ();

Analysis: Execute the Digest () method of the messagedigest object to complete calculation. The calculation result is returned through an array of byte types.

(6) Saving the message digest of the account and password in the file or database

Printwriter out = new printwriter (New fileoutputstream(“passwdsalt.txt "));

Out. println (name );

For (INT I = 0; I <salt. length; I ++ ){

Out. Print (Salt [I] + ",");

}

Out. println ("");

Out. println (result );

Analysis: here, the account number salt and order information must be extracted and stored in the passwd.txt file. For salt, each byte value in the array is saved as a number in the file, and each number is separated by a comma. This is more intuitive. In actual use, you can directly Save the byte array in binary format.

Implementation

Import Java. util. *; import Java. io. *; import Java. security. *; public class setpasssalt {public static void main (string ARGs []) throws exception {// read account password string name = "lbwleon.info"; string passwd = "lbwleon.info "; // generate salt random Rand = new random (); byte [] salt = new byte [12]; Rand. nextbytes (SALT); // calculate the message digest messagedigest M = messagedigest. getinstance ("MD5"); M. update (SALT); M. update (passwd. getbytes ("utf8"); byte s [] = m. digest (); string result = ""; for (INT I = 0; I <S. length; I ++) {result + = integer. tohexstring (0x000000ff & S [I]) | 0xffffff00 ). substring (6);} // save account, salt, and message digest printwriter out = new printwriter (New fileoutputstream ("D:/passwdsalt.txt"); out. println (name); For (INT I = 0; I <salt. length; I ++) {out. print (Salt [I] + ",");} Out. println (""); out. println (result); out. close ();}}