Apache Shiro is a powerful and easy to use Java security framework for the implementation of authentication, authorization, password and session management, and can easily be integrated by the Spring Boot.
Most Web application user password is generally through a hash algorithm + salt form of persistence in the database. When using Shiro for authentication, you can configure the password hashes match in Shiro class configuration, to verify the password stored in the database. The following is a configuration example of a cryptographic hash matcher in Shiro in:
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName("md5"); // 设置 MD5 散列算法
hashedCredentialsMatcher.setHashIterations(2); // 散列迭代次数
hashedCredentialsMatcher.setStoredCredentialsHexEncoded(true);
return hashedCredentialsMatcher;
}复制代码I learned two days ago when Shiro's, saw a considerable part of the Chinese course, all that is equivalent to twice the hash md5(md5("")), I readily found a few articles done this view:
- (B) shiro Integration - "springboot and shiro integration"
- springboot + shiro achieve log coefficients defined, thymeleaf tag used shiro
- Spring Boot Series (xv) security framework Apache Shiro (a) Basic functions
In fact, these tutorials are fraught, does not mean hash twice md5(md5("")). We can simply test.
With "hello" as an example, the test twice MD5 hash result
According to hash twice the equivalent of md5(md5(""))saying, for "hello" string MD5 hash twice, program operation results are as follows (pseudo code):
String hash = "hello";
Integer iteration = 2;
for (int i = 0; i < iteration; i++) {
hash = md5(hash)
}
// 第一次 MD5 结果:5d41402abc4b2a76b9719d911017c592
// 第二次 MD5 结果:69a329523ce1ec88bf63061863d9cb14复制代码MD5 hash performed twice Shiro SimpleHash built package, the result is different:
String hash = "hello";
String salt = null;
Integer iteration = 2;
SimpleHash simpleHash = new SimpleHash("MD5", hash, salt, iteration);
simpleHash.getHash();
// 迭代两次的 MD5 散列结果:62109206880d38a4010a98e11243924a复制代码Shiro SimpleHash seen in multiple sets of the MD5 hash does not equal one layer md5().
It should be simple mention of the MD5 hashing process.
MD5 hashing algorithm principle
MD5 algorithm can be seen as a "function", arbitrary binary string can be used as an input variable to this "function", after hashing Fixed-128 binary string (large integers), then after this big integer hexadecimal conversion, MD5 value finally obtained 32 characters.
Hashing process substantially as follows:
- Bit supplement
- The average bits into 16 groups, each group of 32 bits, four constant initialization (default standard magic number) four cycle operation, each round of the computation result are sequentially updated to the constants
- After all processing is completed, the four constants in accordance with the low memory to high memory arrangement, a total of 128
- The result hex conversion, to give a final MD5 value
By SimpleHash source prying repeatedly hashing process
private void hash(ByteSource source, ByteSource salt, int hashIterations) throws CodecException, UnknownAlgorithmException {
byte[] saltBytes = salt != null ? salt.getBytes() : null;
byte[] hashedBytes = this.hash(source.getBytes(),
saltBytes, hashIterations); // 进行散列
this.setBytes(hashedBytes);
}
protected byte[] hash(byte[] bytes, byte[] salt, int hashIterations) throws UnknownAlgorithmException {
MessageDigest digest = this.getDigest(this.getAlgorithmName());
if (salt != null) {
digest.reset();
digest.update(salt);
}
byte[] hashed = digest.digest(bytes);
int iterations = hashIterations - 1;
for(int i = 0; i < iterations; ++i) { // 根据迭代次数进行多次散列
digest.reset();
hashed = digest.digest(hashed);
}
return hashed;
}复制代码Everything looked very clear the source, SimpleHash each hash will be 128 binary string, hashed many times will get binary string as input to re-hash, rather than MD5 value of the hex conversion re-hashing.
in conclusion
So, twice MD5 hash Shiro SimpleHash is not equal md5(md5("")). The difference between them is that the former will give secondary hash binary string, after which the MD5 calculation (hash and the hash result hex conversion) obtained by hashing the second 32-bit characters.