[Frontend] Learning about Hash and MD5
Wikipedia description of Hash
Hash, generally translated as "hash", and also directly transliterated as "hash", is to convert an input of any length into a fixed-length output through a hash algorithm, and the output is the hash value. This conversion is a compression map , that is, the space of the hash value is usually much smaller than the space of the input, and different inputs may hash to the same output, so it is impossible to determine the unique input value from the hash value . Simply put, it is a function that compresses a message of any length into a message digest of a certain length. (Source Baidu Encyclopedia explanation)
-
MD5 is also a kind of Hash algorithm, common Hash algorithms include
sha1,sha2and so on. -
MD5 is also known as the information digest algorithm . Because its algorithm is not complex enough, it is easy to be cracked by violence.
-
sha1The algorithm also has the same problem as MD5.
Features of Hash
- Algorithms are public
- Operate on the same data and get the same result
- For different data operations, using the same encryption type, the length of the obtained ciphertext is the same; for example
MD5, the obtained results are all 32-character strings - This thing can't be reversed
Application Scenarios of Hash
Through its characteristics, we can talk about Hash's application scenarios
Login password encryption
During the development process, we need to send the user password to the server for account verification when logging in for the first time, but the user password is very private information, so it must be protected by encryption.
Use Hash/MD5 directly
The more commonHash solution at present is to use the or md5value of the password for authentication.
client
Directly perform Hash operation on the password entered by the user, and send the result to the server for verification. Because the Hash algorithm cannot be reversed, even if Hashthe value is leaked, the user's real password will not be leaked.
Server
It needs the cooperation of the server. When the user registers, the Hash value of the user's password is saved in the database of the server instead of the password itself (according to the characteristics of Hash, the result of encrypting the same data is the same ). In this way, even if the server is compromised, the user's private information can be protected to a certain extent.
That is why all kinds of products now only provide the function of resetting the password, and no longer have the function of retrieving the password. Because the server itself does not know the real password of the user.
Special Note : User passwords are very private information. Because most users have a characteristic. Passwords like to use duplicates. If your APP leaks the user's password. Then it is very likely that hackers can use the user's mobile phone number and password to log in to the user's other application software, or extract the user's payment information. The consequences of this are very serious!
add something
The case mentioned above is already very "safe" in theory. Because even if a hacker knows your Hash value, he cannot reversely calculate the user's password. But the situation is not optimistic. Seeing is believing!
Take MD5for example : For example, my password is 123456; MD5the result is:e10adc3949ba59abbe56e057f20f883e
Next, we would like to introduce a website www.cmd5.com/
We only need to perform reverse query on the Hash value.
You may ask, since Hash cannot be reversed, why can this website be queried? It is not difficult to find out after carefully looking at the introduction of the website: in fact, it is a huge database. Use plaintext and Hash data records to perform reverse query.
Of course, this website is not the only one that provides hash reverse query services, there are many profitable companies that provide paid services.
So if we simply use the Hash algorithm directly, the user's password security will be very low.
An Early Solution: Add Salt
let salt = '~!@#$qwerty'
pwd = pwd + salt
Then perform Hash or MD5 encryption. In this way, it is more difficult for the reverse query, and the safety factor is relatively high.
HMAC(Hash-based Message Authentication Code)
There are still security risks for the simple way of using salt, because if the salt is leaked. Then the whole project will be passive. Because this method hard-writes the salt in the program, it is very difficult to replace it in the future.
Then introduce an encryption scheme HMAC next. It uses one key and does the hashing twice.
Note: During development, this key KEY is obtained from the server. And a user corresponds to a KEY
For this encryption scheme, the user's private information can be well protected, because even if the KEY is leaked. This KEY is only for one user and will not pollute the entire project.
If you get this KEY, and then want to reverse query the user's plaintext password. It is also extremely difficult.
The so-called safety cannot be absolutely safe. They have a saying: As long as the money is in place, nothing is impossible! What we want to do is to be relatively safe, so that the cost of cracking is greater than the profit of cracking.
—————————— [End of text] ——————————
Front-end learning exchange group, if you want to come in face-to-face, you can join the group: 832485817 , 685486827 ;
Written at the end: convention is better than configuration - the principle of simplicity in software development
—————————— 【End】 ——————————
My:
Personal website: https://neveryu.github.io/neveryu/
Github: https://github.com/Neveryu
Sina Weibo: https://weibo.com/Neveryu
WeChat: miracle421354532
For more learning resources, please pay attention to my Sina Weibo... ok