Use the MD5 transform algorithm to prevent exhaustive decoding of passwords

Source: Internet
Author: User
Tags file system md5 md5 encryption sql injection
Conversion | algorithm

MD5 is the most commonly used cryptographic encryption algorithm in Web applications. Since the MD5 is irreversible, the ciphertext after MD5 calculation can not get the original text through the reverse algorithm.

The intention of using MD5 encrypted text passwords in Web applications is to prevent the passwords stored in the database from being compromised and then being directly acquired. However, the attackers not only have a large number of password dictionaries, but also set up a lot of MD5 original/ciphertext control database, can quickly find common password MD5 ciphertext, is the efficient way to decipher MD5 ciphertext. However, the MD5 ciphertext database uses the most conventional MD5 encryption algorithm: The original-->md5--> ciphertext. Therefore, we can use the transform MD5 algorithm to make the ready-made MD5 ciphertext database inactive.

Here are some examples of transformation algorithms, which, of course, are similar in other Web development languages and have the same results.

Transform one: circulation MD5

The easiest transformation to understand is to perform multiple MD5 operations on a single password. Customize a function that accepts $data and $times two parameters, the first is the password to be encrypted, and the second is the number of times the encryption is repeated. There are two kinds of algorithms for implementing this transformation:

        Iterative algorithm function md5_1_1 ($data, $times = 32) {//cyclic use md5for ($i = 0; $i < $times; $i + +) {$data = MD5 ($data);} return $data;} Recursive algorithm function md5_1_2 ($data, $times =) {if ($times > 0) {$data = MD5 ($data); $times--;return md5_1_2 ($data, $times); Implement recursive} else {return $data}}? >

Transform two: Ciphertext segmentation MD5

Although the user's password is an indeterminate string, a 32-character string can be used to transform the fixed-length string once the MD5 operation has been made. A bit of the BT algorithm is, this section of the cipher into a number of segments, for each section of a MD5 operation, and then the heap of ciphertext into a long string, and finally a MD5 operation, get still length of 32-bit ciphertext.

        The cipher is divided into two segments, each 16 characters function md5_2_1 ($data) {//Encrypt the password into 32 characters of ciphertext $data = MD5 ($DATA);//Divide the password into two paragraphs $left = substr ($data, 0, 16 $right = substr ($data, 16, 16);//encrypt and then merge $data = MD5 ($left). MD5 ($right);//Finally, the long string is again encrypted again, becoming 32 characters Fumi Wan return MD5 ($DATA);}  Divide the cipher into 32 segments, 1 characters function md5_2_2 ($data) {$data = MD5 ($DATA),//iterate over each character in the ciphertext and encrypt, connect for ($i = 0; $i <; $i + +) {$data . = MD5 ($data {$i});} At this time $data length is 1024 characters, again MD5 Operation return MD5 ($DATA); >

Of course, this ciphertext segmentation of the specific algorithm is countless, such as the original ciphertext can be divided into 16 paragraphs per paragraph two characters, 8 paragraphs per paragraph 4 characters, or the number of characters in each paragraph is not equal ...

Transform three: additional string interference

In one step of the encryption process, attach a content-determined string (such as user name), interfering with the encrypted data. You can not use random strings, because this will make the original algorithm can not reproduce. This algorithm in some cases is very advantageous, for example, for a large number of user password encryption, you can use the user name as an additional interference string, so that the attacker even know your algorithm, it is difficult from their hands in the dictionary to generate a large number of tables, and then a lot of deciphering user passwords, Only targeted to the poor to mention a small number of users.

        The attached string is at the tail function md5_3_1 ($data, $append) of the original data {return MD5 ($data. $append);} The additional string is in the header function Md5_3_2 ($data, $append) of the original data {return MD5 ($append. $data);} Additional strings are Md5_3_3 ($data, $append) {return MD5 ($append. $data. $append) at the ends and ends of the original data; >

Transform four: case change interference

Since the MD5 () function returned by PHP is all lowercase, we can turn all of them into uppercase and then perform a MD5 operation.

        function Md5_4 ($data) {//cipher First $data = MD5 ($DATA);//Then the English mother in the ciphertext is converted to uppercase $data = Strtotime ($data); Finally, a MD5 operation is performed and returned to return MD5 ($DATA); >

Transform Five: string order interference

After the sequence of the ciphertext string after the MD5 operation is reversed, another MD5 operation is performed.

        function Md5_5 ($data) {//the ciphertext $data = MD5 ($data) of the data, and/or the character order of the ciphertext string is reversed $data = Strrev ($data), and then the MD5 operation is performed again and returns return MD5 ( $DATA); >

Transform six, transform seven, transform eight ...

MD5 transform algorithm is countless, and even do not need to create their own, using the above five combinations can make a very BT algorithm. For example, after the first cycle of encryption and then split, and each paragraph appended with a string and then encrypted separately, and then transform the case and reverse the sequence of strings into a long string and then MD5 operation ...

If it is really unfortunate, because some vulnerabilities, such as SQL injection or file system in the database is downloaded and the user password data exposure, then MD5 transform algorithm can greatly increase the difficulty of deciphering the original password, the first is to make a lot of online MD5 original/ciphertext control database (to know , which is the most efficient way to decipher MD5, is not used, and then the attacker uses conventional algorithms to get a bunch of ciphertext from the transformation algorithm and get burned. Of course, the MD5 transform algorithm is particularly suitable for use in non-open-source Web applications, although the advantages of using in open source programs will be weakened (we all know the algorithm), but also can inhibit the MD5 text/ciphertext control database function. To carry out these complex transformation operations, of course, it will cost more system overhead, but for security requirements of the system is very strict, more to pay for a higher security, it is entirely worthwhile.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.