PHP Login Encryption Add salt

1 background

The system involved in authentication needs to store the user's authentication information, the commonly used user authentication method mainly is the user name and the password way, in order to be safe, the user input password needs to save as the ciphertext form, may use the open irreversible hash encryption algorithm, for example SHA256, SHA512, SHA3 and so on, For the same password, the same encryption algorithm will produce the same hash value, so that when the user authenticates, you can also apply the same hash encryption algorithm to the user input plaintext password, a hash value, and then use the hash value and the previously stored ciphertext value for comparison, if two values are the same, The password authentication succeeds, otherwise the password authentication fails.

Because the password is set by the user, in the actual application, the user set the password complexity may not be high, while different users are likely to use the same password, then these users corresponding ciphertext will be the same, so that when the database stored the user password is compromised, the attacker will be able to find the same password easily users, Thus also reduce the difficulty of password cracking, therefore, in the user password encryption, you need to consider to disguise the password, even the same password, should be saved as a different ciphertext, even if the user entered a weak password, but also need to consider the enhancement, thus increasing the difficulty of the password is compromised, The use of encrypted hash value with salt can satisfy this requirement.

2 Implementation method of the encryption salt 2.1 encrypted storage

Input: Password string password

Output: Salt, cipher cipher PasswordHash

Function: Cryptographic hash function

Where: "Salt" is a random string generated during the encryption process;

You can put the salt in front of the password as a prefix or put it behind password as a suffix to get the new string PS, that is, PS = password and salt combination string;

cipher cipher PasswordHash = hash encryption function (PS);

Save the username, ciphertext passwordhash, and salt value salt to the database.

2.2 Password Check

Input: Password string passwordcur

Output: Whether the password check was successful

Processing: 1), remove the salt value of the current user password encryption

2), the combination string PS of the password passwordcur and salt value of the input is obtained.

3), to obtain this input password ciphertext passwordhashcur= hash encryption function (PS);

4), compare the Passwordhashcur and the user initially set the cipher ciphertext PasswordHash is consistent, if consistent, the verification succeeds, otherwise the checksum fails.

3 Common password Attack methods

Common password attack methods include dictionary attack, brute force crack, check table method, reverse lookup table method, Rainbow table and so on.

In the case of dictionary attacks and brute force attacks, attackers use password-based attempts, and there is currently no good way to prevent dictionary attacks and brute force attacks, only to make the two attacks relatively inefficient. The same password produces a different hash value, allowing the attacker to try from scratch for each hash value, making the attack more inefficient.

For the lookup table method, the Reverse lookup table method and the Rainbow Table attack mode, the attacker needs to prepare the password table containing the password and password hash value in advance, then make batch match according to the table and the user password database, so as to achieve the purpose of breaking the password, and if we encrypt each password, we attach a different random value. So each password corresponding to the hash value will also be different, so that when the attacker prepares the password table, it must be the most basic password and the user password database of the salt value of the Cartesian product and then calculate the hash value, the more salt value, the user needs to prepare the larger the amount of the table, so for the attack, it becomes a bit more than the

4 Precautions for adding salt

The purpose of adding salt is to increase the difficulty of the attacker to crack, then add salt to pay attention to the following points, otherwise the meaning of salt will not be too big.

1), the salt value can not be too short, if the salt is only a few two or three or even one or two bits, the attacker can be completely poor to lift all possible salt values; an empirical value for the length of the salt is that the length of the value is at least consistent with the length of the return value of the hash cryptographic function.

2), salt value can not be fixed; if the system uses a fixed salt value, then with no salt equivalent is one thing, the attacker can fully use the fixed salt value to prepare the password table in advance, in addition, the same password corresponding hash value is still the same, still cannot hide the fact that the same password.

3), do not use the value can be predicted in advance as the salt value, if the salt value can be known in advance or inferred in advance, the attacker can also be fully based on the pre-predicted salt value to prepare the password list, so that the difficulty of cracking will not increase much.

4), each time the password re-calculated hash value, to regenerate the new salt value, do not use the last password corresponding to the salt value, because if the user password leaked, the corresponding salt value is disclosed, the user changes the password, if the original salt value, the attacker can still be in accordance with the previous salt value prepared in advance password table , which makes the likelihood of a breach higher.

PHP Login Encryption Add salt