Modifying MD5 encryption improves Website Security

Note: This change can only be used at the beginning of website construction. If you change it halfway, it will cause problems.

You may be familiar with MD5, but are you sure you do? Do you know how the hash is implemented? Although we generally don't need to go to the root of the problem, we just need to download programs compiled by others directly.

Most people know the algorithm, so there are a lot of tools on the Internet to crack the MD5 hash value, but we can use our imagination to fully mobilize our enthusiasm for security, have you ever thought about rebuilding an MD5 algorithm? Let all the tools used to crack MD5 go to class now? Because MD5 is too widely used in our network, various websites need to save user information, but when saving the plaintext, they are afraid that the attacker may attack the website and download the database, therefore, MD5 is often used to hash all kinds of important data. However, there are many tools that can be used for simple cracking.

Let's first take a look at the MD5 hash algorithm, and then I will give another example to illustrate how to improve website security.

The following is a simple description. The space where X and Y are located is not described (X, A, Y, B ). Let's take a look at a hash algorithm that generally meets one of the following three conditions:

1. H is a unidirectional function. That is, for almost all h (x) = Y, if y is known to require X, it is not feasible in computing.

2. If X is known, finding x'' A makes it impossible to calculate h (x) = H (X '), which is weak and collision-free.

3. Find a pair of x and x', and X = x', so that h (x) = H (x'') is not feasible in computing, this is strongly non-collision.

This is called a secure and confidential hash function. The following is the message hashing process:

From the above table, we may see whether an initial vector IV is required on the left. This is the key point I have explained today, this initial vector is stored by four buffer registers A, B, C, and D in the MD5 algorithm, and each register is 32 bits. Their initial values are:

A = 0x67452301

B = 0x efcdab89

C = 0x 98 badcfe

D = 0x10325476

Here we can see the four hexadecimal values, which can also be seen as an initial seed. If you are clear about the MD5 algorithm process, we can see that this process involves some operations such as XOR and modulo operations to process 512-bit messages in each group, each group performs 4*16 operations, so I have a bold idea, but if we change the initial value slightly, isn't it another MD5 hash algorithm! We know that the values A, B, C, and C are 4*8 = 32 bits in hexadecimal notation, so we can calculate the probability space that may be cracked, if more actions are performed, the less likely the attack will be. As long as we change one character, we don't have to change the rest of the algorithm, so we won't make much changes to our program. Is it because we have found a new hash algorithm? In fact, we can see from the research on the hash algorithm, the US information compression standard Sha is also a bit similar to MD5 (mainly referring to the idea ).

Now, after introducing the MD5 knowledge, let's take a look at how to modify the source code of our website management program. Here I will describe it with the famous domestic online forum dvbbs7.0.

We all know that the user data in the Forum is like a password. The answer to the question is the MD5 hash. Generally, attackers download the database for cracking and get the Administrator's password, the default path is BBS \ data \ dvbbs7.mdb, which is used to modify the Database Name and change the conn accordingly. ASP settings.

Now we can find this file \ Inc \ md5.asp. This page is the Program for hash processing. If we modify this page, we will generate our new MD5 hash algorithm. Open it in notepad and find the place.

Now, let's see the values A, B, C, and D. Let's talk about them and see how you change them. Your convenience! But I suggest you just change one person, so try to change it as little as possible. For example, you can change a = 0x67452301 to a = 0x67452300 so that you can use a different MD5 algorithm. In this way, even if your database is downloaded, you can also use it with confidence. Let their MD5 cracking tools go to hell!

But I want to explain that people who know about the MD5 process may ask, will this change affect the operation? It may be difficult for experts to discuss this issue. At the same time, I want to tell you that MD5 applies to all the information, and our changes are only used by thousands or tens of thousands of users on a website, there should be no major problems, but it is indeed difficult to prove that this change can satisfy the three conditions mentioned at the beginning of the article, let the readers discuss it.