Using MD5 transform algorithm to prevent poor lifting (collision) decoding Password _php tutorial

Source: Internet
Author: User
Tags md5 encryption
MD5 is the most commonly used cryptographic encryption algorithm in Web applications. Since the MD5 is irreversible, the ciphertext can not be obtained by the inverse algorithm after the MD5 computation.

Recalling the intention of using MD5 to encrypt text passwords in Web applications is to prevent the passwords stored in the database from being directly obtained after they are unfortunately compromised. But attackers not only have a large number of data cipher dictionary, but also set up a lot of MD5 original/ciphertext control database, can quickly find common password MD5 ciphertext, is to decipher MD5 ciphertext efficient way. However, the MD5 ciphertext database uses the most common MD5 encryption algorithm: The original-->md5--> ciphertext. Therefore, we can use the transformed MD5 algorithm to make the ready-made MD5 ciphertext database inactive.


Examples of some transformation algorithms are shown below
Of course, in other web development languages, the same is true, and the same results can be obtained entirely.

Transformation One: Cyclic MD5

The easiest to understand transformation is the MD5 operation of a password multiple times. Customize a function that accepts $data and $times two parameters, the first is the password to encrypt, and the second is the number of times to repeat the encryption. There are two kinds of algorithms for implementing this transformation--

Iterative algorithm
function Md5_1_1 ($data, $times = 32)
{
Cyclic use of MD5
for ($i = 0; $i < $times; $i + +) {
$data = MD5 ($DATA);
}
return $data;
}

Recursive algorithm
function Md5_1_2 ($data, $times = 32)
{
if ($times > 0) {
$data = MD5 ($DATA);
$times--;
Return Md5_1_2 ($data, $times); Implementing recursion
} else {
return $data;
}
}
?>

Transformation Two: Ciphertext segmentation MD5

Although the user's password is an indeterminate string, once the MD5 operation is performed, a 32-character string is obtained, which can then be transformed against the fixed-length string. A bit of the BT algorithm is to divide the ciphertext into a number of paragraphs, to each section of the MD5 operation, and then the pile of ciphertext into an extra-long string, and then a MD5 operation, to get the length is still 32 bits of ciphertext.

Divide the ciphertext into two paragraphs, 16 characters per paragraph
function Md5_2_1 ($data)
{
First encrypt the password into 32-character ciphertext
$data = MD5 ($DATA);
Divide the password into two segments
$left = substr ($data, 0, 16);
$right = substr ($data, 16, 16);
Encrypt and merge separately
$data = MD5 ($left). MD5 ($right);
Finally, the long string encryption once again, become 32 characters redaction
return MD5 ($DATA);
}

Divide the ciphertext into 32 paragraphs, 1 characters per paragraph
function Md5_2_2 ($data)
{
$data = MD5 ($DATA);
Loops through each character in the ciphertext and encrypts, connects
for ($i = 0; $i < $i + +) {
$data. = MD5 ($data {$i});
}
At this point the $data length is 1024 characters, then one MD5 operation
return MD5 ($DATA);
}
?>

Of course, this ciphertext segmentation of the specific algorithm is countless, such as the original ciphertext can be divided into 16 paragraphs each paragraph two characters, 8 paragraphs each paragraph 4 characters, or the number of characters in each paragraph is not equal ...

Transform three: Additional string interference
In one step of the encryption process, attach a string of content determination (such as a user name) to interfere with the encrypted data. You cannot use random strings, because this will make the original algorithm impossible to reproduce. This algorithm in some cases is very advantageous, for example, for a large number of user password encryption, you can use the user name as an additional interference string, so that attackers know your algorithm, it is difficult to generate a huge number of tables in their dictionary, and then a lot of decipher user passwords, Only targeted, poor, few users.

Append string at the end of the original data
function Md5_3_1 ($data, $append)
{
return MD5 ($data. $append);
}

Append string to the head of the original data
function Md5_3_2 ($data, $append)
{
return MD5 ($append. $data);
}

Append string to the origin of the original data
function Md5_3_3 ($data, $append)
{
return MD5 ($append. $data. $append);
}
?>

Transform four: case-sensitive transformation interference
Since the MD5 () function returned by PHP has all lowercase letters in the ciphertext, we can capitalize all of them and then perform a MD5 operation.

function Md5_4 ($data)
{
Get the cipher ciphertext first.
$data = MD5 ($DATA);
To capitalize all the English mothers in the ciphertext.
$data = Strtotime ($data);
Finally, we perform a MD5 operation and return
return MD5 ($DATA);
}
?>

Transform five: string order interference
After the MD5 operation, the sequence of ciphertext string is reversed, then a MD5 operation is performed.

function Md5_5 ($data)
{
Get the data ciphertext
$data = MD5 ($DATA);
and reverse the character sequence of the ciphertext string.
$data = Strrev ($data);
Finally, we perform a MD5 operation and return
return MD5 ($DATA);
}
?>

Transform six, transform seven, transform eight ...

MD5 transform algorithm is a number of countless, and even without their own to create, using the above five to each other together can make a very BT algorithm. For example, first loop encryption and then split, and append a string to each paragraph and then encrypt separately, and then transform the case and reverse the string sequence after a long string of MD5 operation ...

If it is really unfortunate, due to some loopholes, such as SQL injection or the database in the file system is downloaded and different user password data exposure, then the MD5 transform algorithm can greatly increase the difficulty of deciphering the original password, the first is to make online a lot of MD5 original/ciphertext control database (to know , which is the most efficient way to decipher MD5, is no use, and then is to make the attacker use the conventional algorithm to the poor to lift a string by the transformation algorithm obtained by the ciphertext and got burned. Of course, the MD5 transform algorithm is particularly suitable for use in non-open source Web applications, although the advantages of using open source programs will be weakened (we all know the algorithm), but also can suppress MD5 original/ciphertext control of the role of the database. To do these complex transformations, of course, it will cost more overhead, but for the security requirements of the system, pay more for the higher security, it is completely worthwhile.

http://www.bkjia.com/PHPjc/532414.html www.bkjia.com true http://www.bkjia.com/PHPjc/532414.html techarticle MD5 is the most commonly used cryptographic encryption algorithm in Web applications. Since the MD5 is irreversible, the ciphertext can not be obtained by the inverse algorithm after the MD5 computation. Review the web should ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.