Detailed explanation of the md5 encryption process twice during login and registration

1 When the front-end transmits the password to the back-end, it needs to perform MD5 encryption twice. What is the encryption and decryption process during login and registration?

Both the front-end and back-end encryption can stipulate that certain digits of the password are used as the salt for encryption and decryption operations, and this conventional salt selection operation is only known to the programmer, so the security is relatively high, and there is no need to transmit the salt between the front and back ends. Or the front-end and back-end developers discuss the salt of the first layer of encryption during development, and store them in the front-end and back-end respectively, so that the front-end uses md5 and salt to encrypt each time the password is sent, and the server because Knowing the salt, it can be decrypted naturally.

Answer:
1 Whether it is registration or login, the first md5 encryption of the password is completed at the front end, and the second encryption is completed at the back end. 2 Encrypting each
user's password twice with md5 will use two Salt, the first salt is public (shared by the front and back ends), modified by final static, the second salt is randomly generated for each user, and will be stored in the salt field in the user table of the database (this is In order to facilitate the password verification operation when logging in in the future).
3 Again, MD5 is just a hash, not an encryption. It is impossible to decrypt MD5, because one MD5 may correspond to countless possible plaintexts.

1.1 When a user registers for the first time

1. The front end first uses the global public salt1 to convert inputPass (password entered by the user) into fromPass (transitional password), and then transmits it to the server. 2. The server randomly
generates a user-specific salt2, and uses md5 and salt2 to convert fromPass into dbPass ( password stored in the database),
3 After the conversion, the user's registration information (including the user name and the password after secondary encryption) and the exclusive salt2 will be stored in the database.

1.2 When a user logs in with a username and password

1. The front end will use the public salt1 to first encrypt inpuPass, get fromPass and send it to the server.
2. The server finds its corresponding exclusive salt2 and password (the password after the second encryption when the user first registers) according to the user name. Use this salt2 to re-encrypt the user's password that has been encrypted by the public salt.
3 Compare it with the password taken from the database. If they are consistent, the login is successful, otherwise the login fails.

1.3 If one layer of decryption is performed on the password taken from the database (that is, the state after the second encryption of the password is restored to the state after the first encryption), why is the decrypted password not directly used when verifying the password? Compare the encrypted passwords sent by the front end to find out whether the passwords are correct?

Answer: Because md5 is encrypted by hash, this is an irreversible process. Even if the result of hash is known, it is almost impossible to reversely deduce the input parameters of the hash function, so.

The following is the method of implementing md5 encryption twice on the server side. The inputPassToFromPass and inputPassToDBPass methods are only used for testing. In real business scenarios, the password passed from the front end can never be a plaintext password, and it must be encrypted by the inputPassToFromPass() method. password

package utils;


import org.springframework.stereotype.Component;
import org.springframework.util.DigestUtils;

import java.nio.charset.StandardCharsets;

/**
 * MD5工具类
 *
 * @author: LC
 * @date 2022/3/1 4:45 下午
 * @ClassName: MD5Util
 */
@Component
public class MD5Util {
    
    
    public static String md5(String str) {
    
    
        return DigestUtils.md5DigestAsHex(str.getBytes(StandardCharsets.UTF_8));
    }

    private static final String salt = "1a2b3c4d";

    /**
     * 第一次加密
     *
     * @param inputPass
     * @return java.lang.String
     * @author LC
     * @operation add
     * @date 4:49 下午 2022/3/1
     **/
    public static String inputPassToFromPass(String inputPass) {
    
    
        // salt可以随机的放在输入密码的各个部分当中
        String str = salt.charAt(0) + salt.charAt(2) + inputPass + salt.charAt(5) + salt.charAt(4);
        return md5(str);
    }

    /**
     * 第二次加密, 使用的盐需要重新生成（这个盐会存放到数据库中，成为用户的一个属性），
     * @author LC
     * @operation add
     * @date 4:52 下午 2022/3/1
     * @param formPass
     * @param salt
     * @return java.lang.String
     **/
    public static String formPassToDBPass(String formPass, String salt) {
    
    
        String str = salt.charAt(0) + salt.charAt(2) + formPass + salt.charAt(5) + salt.charAt(4);
        return md5(str);
    }

    /**
     * 将第一次加密和第二次加密调用
     * @param inputPass
     * @param salt
     * @return
     */
    public static String inputPassToDBPass(String inputPass, String salt) {
    
    
        String fromPass = inputPassToFromPass(inputPass);
        String dbPass = formPassToDBPass(fromPass, salt);
        return dbPass;
    }

    public static void main(String[] args) {
    
    
        System.out.println(inputPassToFromPass("123456"));
        System.out.println(formPassToDBPass(inputPassToFromPass("123456"), "abcdefgh"));
        System.out.println(inputPassToDBPass("123456", "abcdefgh"));
    }
}