Hash algorithm is a one-way hash algorithm, which maps a larger set P to another smaller set Q, adding this algorithm is called H, there is Q=H(P). For any value p in P, there is a unique q corresponding to it, but one q can correspond to multiple p. As a useful Hash algorithm, H should also satisfy: H(P) is relatively fast; given a q, it is difficult to infer a p that satisfies q=H(p); given a p1, it is difficult to calculate an inequality p2 of p1 is such that H(p1)=H(p2). Because of these characteristics, hash algorithms are often used to save passwords, so that the plaintext of the password is not leaked, and the entered password can be verified to be correct. Commonly used hash algorithms are MD5, SHA1, etc.
The task of cracking Hash is to give a q and invert a p to satisfy q=H(p). Usually we can think of two methods. One is the brute force method, which calculates H(p) for each p and knows that the result is equal to q; Both p and the corresponding q are recorded, press q to make an index, and check the table below. In theory, both methods are feasible, but in practice, the former requires a huge amount of time, and the latter requires a huge amount of space, so that human resources cannot be realized.
The fundamental principle of the rainbow table is to combine the brute force method and the look-up table method, and obtain a compromise between the two.
What it does is, for a Q=H(P), establish another algorithm R such that P=R(Q), and then for a p, do the calculation like this:
p0 - H - > q1 - R -> p1 ... - H - > qn - R -> pn
Simply put, q is iteratively operated with H and R in turn, and finally pn is obtained, and n may be relatively large. Finally, we store both p0 and pn, and discard the other results. Then substitute different p0 into the calculation to get multiple pairs of such p
When cracking, given a q, let's find p, first perform an R operation on q to get a value c1, if it is equal to a certain pn, then it is possible that the p(n-1) corresponding to this pn is what we are looking for p, in order to verify that we do a chain calculation of p0 corresponding to pn, and compare whether qn is the given q. If so, it is obvious that p(n-1) is the p we are looking for. If not, continue to traverse All p0pn pairs
If not, we calculate q - R -> c1 - H -> qx - R -> c2, and then compare whether c2 is pn. If so, then p(n-2) may be p, and so on
In general, a p0pn pair is used to store the data of a chain. If n is large, the storage space can be greatly reduced. The problem this brings is that n comparisons must be made, and the event is longer, but we do not need to crack it instantly, it is acceptable to wait a few seconds or even days to crack a password
Of course, this is only the most superficial principle. If you think about it carefully, there are still many problems, such as the choice of R, the handling of Hash conflicts, how to choose po to achieve sufficient coverage, and how to generate rainbow tables under limited resources. If you are interested, you can look at the source code of RainbowCrack http://www.project-rainbowcrack.com/