1. What is MD5?
Baidu Encyclopedia Abstract:
MD5 Message-Digest Algorithm (English: MD5 Message-Digest Algorithm), a widely used cryptographic hash function, can produce a 128-bit (16 byte) hash value (hash value), use To ensure complete and consistent information transmission. MD5 was designed by American cryptographer Ronald Linn Rivest and published in 1992 to replace the MD4 algorithm. The procedure of this algorithm is regulated in the RFC 1321 standard.
2. Why is encrypted storage required?
Here is a chestnut:
China's first "penalty ticket" since the implementation of the information security level protection system-CSDN website user data leakage case
On the morning of December 21, 2011, a hacker published the user database of the developer technology community CSDN website on the Internet. Including more than 6 million registered email accounts and corresponding plain text passwords.
什么是明文密码?
The following is some information I generated in mongoDB, you can intuitively see that the password corresponding to the user's name is directly identifiable, that is, the password here is the real password entered by the user during the login process. The final storage in the database is without any encryption operations. First of all, the data stored in plain text can be intuitively identified by users such as DBA and back-end engineers under the premise of no leakage. Secondly, once a data leak occurs, the result can be imagined.
这是当时遭到曝光和外泄的明文注册邮箱账号和密码
3. What is MD5 encryption?
Chestnut: Such a password is encrypted and stored.
At this time, some friends may already think that although the password looks very different from the ordinary password of "123456", it seems to be in plain text, and users should log in. Use such unrelated strings? With this question, we have to take a good look at how MD5 is encrypted.
4. MD5 encryption features
The MD5 encryption used here is a functional encryption, so the encryption result must be the same every time, without random bits.
Regardless of whether the encrypted text is long or short, it is always a 32-bit mixed string.
MD5 has no possibility of inverse function cracking, which means that MD5 cannot be cracked mathematically (cannot be reverse cracked)
Six, code implementation
The server receives the user's login information, which I obtained and encrypted through Node.js.
First of all, Node uses MD5 to encrypt data, without downloading the module, you can directly introduce the crypto module.
let crypot = require("crypto"); // 加密操作模块
After introducing the module, create a hash and use update and digest to encrypt the data
let md5 = crypot.createHash("md5");
let password = md5.update(pwdInit).digest("base64");
// pwdInit 用户原始登录密码
// password 加密后的MD5字符串
Therefore, the application of MD5 to encrypt and store data here, in fact, the surface logic is very simple, that is: when a user registers, the user ’s password is encrypted by MD5 and the "password" obtained by "pwdInit" is stored in the database (for example: 123456 => E10ADC3949BA59ABBE56E057F20F883E), so that the user ’s real password will not be directly exposed. Then when a user logs in, he only needs to enter his original password to log in. The original login password will be converted into a 32-bit string format on the server through MD5, and then find the corresponding user name information and compare For the encrypted 32-bit character string passwords, if they are all the same, it means that the login is successful. So far, even if such encrypted data is leaked, hackers cannot know the real password behind the ciphertext.
案例服务端代码:
let express = require("express");
let app = express();
let crypot = require("crypto"); // 加密操作模块
let db = require("./Mongo_DIY_modules") // Mgo 自定义封装模块
// 登录页面
app.use("/", express.static("./public"));
// 登录路由
app.get("/checklogin", (req, res) => {
let username = req.query.username;
let userpwd = req.query.userpwd;
// 根据填写的姓名,去数据库寻找该文档/集合
// 如过用户名存在,则读取密码进行比对,判断登录成功或失败
db.find({
"dbName": "homeDB", // 数据库名
"collectionName": "loginMD5", // 集合名
"json": {
"name":username // 查询条件
},
"callback": function(err, result) { // 查询结果
if(result.length == 0){
res.send("用户名输入有误");
} else {
if(result[0].pwd === MD5(userpwd)){ // 比对加密后的32位字符串密码
res.send(result[0].name + " 登录成功!")
} else {
res.send("密码错误");
}
}
}
});
});
// 注册路由 (未作用户名同名判断)
app.get("/regist", (req, res) => {
console.log(req.query);
db.insertOne("homeDB", "loginMD5", {
"name":req.query.username,
"pwd":MD5(req.query.userpwd)
}, (err, result) => res.send(result));
});
// 运行服务器
app.listen(3000);
function MD5(pwd) {
let md5 = crypot.createHash("md5");
let password = md5.update(pwd).digest("base64");
return password;
}
7. Decryption of MD5
The general cracking tools are dictionary mode. Find the clear code by listing the corresponding dictionary of a large number of "clear text-passwords". That is, by exhaustive combination of characters, a corresponding query database in plaintext and ciphertext is created.
What is the way of exhaustive character combination?
You can see the common online MD5 encryption and decryption website, how to do it:
MD5加密:
you can see that the encrypted data can be encrypted into a 32-bit string regardless of the length and complexity, and the encryption result must be the same every time (MD5 encryption is a functional type encryption)
MD5解密:
Through the decryption of online websites, you can find that ordinary numbers can be easily cracked, and complex character combinations are difficult to crack.
Therefore, the so-called exhaustive decryption is actually to create a plaintext ciphertext corresponding query database. The huge data is first encrypted into the corresponding ciphertext and stored. When a similar string of MD5 ciphertext appears, it is traversed in the dictionary library. Find and find the same ciphertext, and the corresponding plaintext is naturally found. This decryption process is-exhaustive decryption.
这是某个在线MD5揭秘网的解密范围
Combination form:
ciphertext type: It
can be said that the decryption range of the decryption website for MD5 is still very high. Therefore, it is usually best not to use only one layer of encryption when using MD5 encryption. You can use MD5 to encrypt multiple layers of plain text and add other characters to achieve a high degree of cracking effect. such as:
let crypot = require("crypto");
// 这是MD5加密的封装方法
function MD5(pwd) {
let md5 = crypot.createHash("md5");
let password = md5.update(pwd).digest("base64");
// base64 是网络上最常见的用于传输8Bit字节码的编码方式之一
return password;
}
let pwd = "123321";
MD5(pwd) // 对pwd进行一层加密 yIN7I/+Kqoot3pFUc84JkQ== 可轻易在线解密
MD5(MD5(pwd)) // 对pwd进行两层层加密 M9o6WW74mkgDA7Zma5Xc4g== 解密相对耗时
MD5(MD5(MD5(pwd))) // 对pwd进行三层层加密 lVKhRjOEZ45+9MVOXHBfYg== 解密困难
MD5(pwd + MD5(pwd)) // 组合自定义字符 B3S+VTISt62HgVFcL8m4Yg= 破解失败
8. Summary
When storing sensitive data in the database, never use plain code for storage. The role of MD5 is to convert the plain code into a string that cannot be cracked in the reverse direction. This can effectively prevent the database from being invaded and lead to the direct leakage of sensitive data.
