Talking about hash algorithm and CSDN password leakage event

Http://www.cnbeta.com/articles/166531.htm

First, the hash algorithm is not a cryptographic algorithm
Hash algorithm is a kind of message digest algorithm, not a cryptographic algorithm, but because of its one-way operation, has certain irreversibility, becomes an integral part of the encryption algorithm, the complete encryption mechanism cannot rely only on the hash algorithm.

Two, the collision phenomenon of hash algorithm
The hash algorithm can be understood to be a fixed-length string after refining arbitrary information. The number of information in the world is infinite, so the fixed-length string cannot express all the summaries, so there is so-called "collisions", that is, 2 of the same information source digests are the same. 2004 Shandong University Wang Xiaoyun put forward a quick search for "collision pair" algorithm, causing the security community for the hash algorithm of great concern, NIST proposed to 2010 no longer use MD5 and SHA-1. Currently available hash algorithms include: sha-256,sha-512,sha-224,sha-384. The draft fips180-4 in February 2011 also added sha-512/224,sha-512/256. These algorithms are SHA-2 series algorithms, and the sha3-256 algorithm is coming soon. About collisions must also say that there is a chance to find a collision pair, but does not mean that the hash algorithm is negated overall, such as the whole hash of the contract text and digital signature, if the collision is found, it is difficult to revert to a normal text, if it is a bunch of garbled, no one will recognize this file, Without tampering with the hash of the premise can not have a meaningful modification of the contract.

Third, the crack of hash and social engineering
Hash algorithm itself is one-way, it is difficult to directly crack, the existing crack is to calculate the characters commonly used character hash value after the reverse comparison. For example, password 123456, assuming that the MD5 value is 1ab9744e58acee3ed8f03508cbf82bf5, then the database found the MD5 value to know the password. Through the application of social engineering, a large number of commonly used passwords can be directly cracked.

Four, the reasonable use hash algorithm
1. Abolition of the old algorithm, at least the use of sha-256,64-bit operating system SHA-512 operation speed is better, recommended selection
2. Add a reasonable "SALT", that is, the interference string. Example: Salt1=c ' 3/$xUM, 5ltl4pze;avf9#kgmet^ salt2=1qyis,vosfn%uhhm5+3tx: #iety0d calculate hash SHA-512 (salt1+ username +salt2+ password) Then the social engineering and the current violence cannot be solved.
3. Do not assume that using the hash algorithm together is safe. For example, MD5+SHA1, or SHA1 (MD5) nesting, has been documented to be invalid.

Finally, we hope that programmers can read more literature, keep up with international security standards, and avoid the impact of security incidents as much as possible.

Talking about hash algorithm and CSDN password leakage event