MD5 is the most common cryptographic algorithm in Web applications. Because MD5 is irreversible, the ciphertext obtained after MD5 calculation cannot be obtained through reverse algorithms.
Looking back at the original intention of using MD5 to encrypt text passwords in Web applications, it is to prevent the passwords stored in the database from being obtained after being leaked. However, the attacker not only has a huge amount of data in the password dictionary, but also has established a lot of MD5 original/ciphertext control databases to quickly find the MD5 ciphertext of common passwords, which is an efficient way to decrypt the MD5 ciphertext. However, the MD5 ciphertext database uses the most common MD5 encryption algorithm: original --> MD5 --> ciphertext. Therefore, we can use the transformed MD5 Algorithm to make the ready-made MD5 ciphertext database useless.
The following is an example of a transformation algorithm.
Of course, the same results can be obtained in other web development languages.
Transformation 1: cyclic MD5
The easiest to understand is to perform multiple MD5 operations on a password. A custom function that accepts two parameters: $ data and $ times. The first parameter is the password to be encrypted, and the second parameter is the number of times of repeated encryption. There are two algorithms to implement this transformation --
<? PHP
// Iterative Algorithm
Function md5_1_1 ($ data, $ times = 32)
{
// Use MD5 repeatedly
For ($ I = 0; $ I <$ times; $ I ++ ){
$ DATA = MD5 ($ data );
}
Return $ data;
}
// Recursive Algorithm
Function md5_1_2 ($ data, $ times = 32)
{
If ($ times> 0 ){
$ DATA = MD5 ($ data );
$ Times --;
Return md5_1_2 ($ data, $ times); // implement Recursion
} Else {
Return $ data;
}
}
?>
Conversion 2: MD5 separated by ciphertext
Although the user's password is an uncertain string, after an MD5 operation, a string consisting of 32 characters can be obtained. In this case, the fixed length string can be transformed. A bit of BT's algorithm is to divide the ciphertext into several segments, perform an MD5 operation on each segment, then connect the ciphertext into an ultra-long string, and finally perform an MD5 operation, the resulting ciphertext is still a 32-bit ciphertext.
<? PHP
// Divide the ciphertext into two segments, each of which contains 16 characters
Function md5_2_1 ($ data)
{
// Encrypt the password into a 32-character ciphertext
$ DATA = MD5 ($ data );
// Split the password into two segments
$ Left = substr ($ data, 0, 16 );
$ Right = substr ($ data, 16, 16 );
// Encrypt the data separately before merging.
$ DATA = MD5 ($ left). MD5 ($ right );
// Finally, the long string is re-encrypted to a 32-character ciphertext.
Return MD5 ($ data );
}
// Divide the ciphertext into 32 segments, each of which contains 1 Character
Function md5_2_2 ($ data)
{
$ DATA = MD5 ($ data );
// Cyclically intercept each character in the ciphertext and encrypt and connect it
For ($ I = 0; $ I <32; $ I ++ ){
$ Data. = MD5 ($ data {$ I });
}
// At this time, $ data is 1024 characters in length, and an MD5 operation is performed again.
Return MD5 ($ data );
}
?>
Of course, the specific ciphertext segmentation algorithm is infinite. For example, the original ciphertext can be divided into 16 segments, each segment contains two characters, and 8 segments contains four characters, or the number of characters in each segment is not equal ......
Transform 3: append string interference
In a step of the encryption process, append a string (such as the user name) identified by the content to interfere with the encrypted data. Random strings cannot be used, because this will make the original algorithm unable to reproduce. This algorithm is advantageous in some situations. For example, if it is used to encrypt a large number of user passwords, the user name can be used as an additional interference string. In this way, even if Attackers know your algorithm, it is also difficult to generate a large number of comparison tables from the dictionary in their hands, and then crack a large number of user passwords. Only a few users can be targeted.
<? PHP
// Append the string to the end of the original data
Function md5_3_1 ($ data, $ append)
{
Return MD5 ($ data. $ append );
}
// Append the string to the header of the original data
Function md5_3_2 ($ data, $ append)
{
Return MD5 ($ append. $ data );
}
// Append the string to the beginning and end of the original data
Function md5_3_3 ($ data, $ append)
{
Return MD5 ($ append. $ data. $ append );
}
?>
Case-insensitive interference
Since all English letters in the ciphertext returned by the MD5 () function provided by PHP are in lower case, we can convert all of them into upper case and then perform an MD5 operation.
<? PHP
Function md5_4 ($ data)
{
// Obtain the ciphertext of the password first
$ DATA = MD5 ($ data );
// Convert all the English letters in the ciphertext into uppercase letters.
$ DATA = strtotime ($ data );
// Perform the MD5 operation again and return the result
Return MD5 ($ data );
}
?>
Conversion 5: String order interference
After the sequence of the ciphertext string after the MD5 operation is adjusted, the MD5 operation is performed again.
<? PHP
Function md5_5 ($ data)
{
// Obtain the ciphertext of the data
$ DATA = MD5 ($ data );
// Re-convert the Character Sequence of the ciphertext string
$ DATA = strrev ($ data );
// Perform the MD5 operation again and return the result
Return MD5 ($ data );
}
?>
Change 6. Change 7. Change 8 ......
The MD5 conversion algorithm is infinite, and you don't even have to create it yourself. You can use the five combinations to create a very BT algorithm. For example, loop encryption is followed by segmentation, and a string is appended to each segment before encryption, then the case is changed and the string order is reversed, and then a long string is connected and then MD5 is performed ......
Unfortunately, due to some vulnerabilities, such as SQL injection or database downloading in the file system, the user password data may be exposed, then, the MD5 conversion algorithm will greatly increase the difficulty of deciphering the original password. First, it will make a lot of MD5 original text/ciphertext on the Internet compare to the database (you need to know, this is the most efficient method for deciphering MD5) it is useless, and then attackers can use conventional algorithms to enumerate a string of ciphertext obtained by the transformation algorithm. Of course, the MD5 conversion algorithm is especially suitable for non-open-source web programs. Although its advantages in open-source programs will be weakened (we all know the algorithm ), however, it can also suppress the effect of MD5 original/ciphertext against the database. To carry out these complex transformation operations, of course, more system overhead will be required. However, for systems with strict security requirements, pay more for higher security, it is completely worthwhile.
Trackback: http://tb.blog.csdn.net/TrackBack.aspx? Postid = 590728