1.什么叫做MD5算法?
2.如何实现?
3.我们在网站的数据存储中使用MD5算法的目的是什么?
4.为什么我们要用MD5标准算法?
第一个问题很简单
md5的全称是message-digest algorithm 5,信息摘要算法5,俗称
数据指纹信息
关于第二个问题
建议去
http://www.yesky.com/SoftChannel/72342376173010944/20020221/218246_1.shtml
http://www.ietf.org/rfc/rfc1321.txt
认真看看,比较难,郁闷。。。
再来看第三个问题,我们使用MD5算法存储数据就是为了保证数据
安全的,有了MD5,即使知道其算法,也很难将其还原。因为他是
不可以逆转的。
第四个问题,目前我们的MD5广泛用于各个BBS系统,CMS系统里,
但是大家都使用的是标准的MD5算法。
于是产生了穷举算法,通过计算大量的MD5值,和得到的MD5进行匹
配,从而破解。
现在更有人通过大量的计算,生成了MD5的数据库,多达几百G,甚
至可以通过网站方便的查到密文对应的明文。
如果是SQL数据库的话,就算查不到密文,也可以通过UPDATA语句
加上自己通过MD5加密的密码,从而入侵网站。
既然我们使用标准MD5的初衷是保证数据安全,那么由于现在种种
应对方式的出现,我们应该做什么呢?
我想答案是,使用畸形MD5算法
什么是畸形MD5算法?
目前有下面几种
一、多重MD5加密
把你的MD5值加密后再反复加密。目前QQ登陆使用的就是此技术。
二、加盐技术(salt)
什么叫加盐技术,举个例子,在你炒菜的时候,不停的炒,再加入盐。
是不是你炒的菜和生的菜味道毫不相同呢?
是不是你炒菜的味道和你未放盐大不相同呢?
MD5标准算法就是炒菜,“加盐技术(salt)”就是放盐。
我们在进行MD5计算的时候,加上一些字符串,可以是固定的,
也可以是随机的,然后再带入公式计算,最后保存。
这样的话,就算得到MD5值,并且花费大量的时间破解以后,
获得的明文密码也不能进入网站系统。因为前面有随机的salt值。
加盐技术早已经广泛用于linux,UNIX系统的加密中,
目前运用SALT加密的BBS系统只有vBulletin。
SALT技术可以参考广州大学信息安全研究所的
《数据完整性和所有者的确认——消息摘要和签名 》
http://www.gzsec.com/filesys/news_view.asp?newsid=305
的4.4.4章《使用加盐技术防范字典式攻击》
三、使用MD4算法
md5相对md4所作的改进:
1. 增加了第四轮;
2. 每一步均有唯一的加法常数;
3. 为减弱第二轮中函数g的对称性从(x&y)|(x&z)|(y&z)变为
(x&z)|(y&(~z));
4. 第一步加上了上一步的结果,这将引起更快的雪崩效应;
5. 改变了第二轮和第三轮中访问消息子分组的次序,使其更不相
似;
6. 近似优化了每一轮中的循环左移位移量以实现更快的雪崩效应
。各轮的位移量互不相同。
既然MD5都比MD4优越,为什么还要用MD4加密呢?
目前的网站数据查询都是MD5的,还没见过有MD4的查询网站。
你也可以自己写一个程序对MD4进行碰撞。等你破解好了,说不定
人家都改密码了:P
MD4标准:
http://www.3w3.org/post/27619.html
http://www.soudie.net/top_27627_cat_8/
四、杂糅式加密
把上面的几种方法混合起来用,
你可以先用MD4加密以后,再加上SALT,最后加上MD5。
或者先将文件加上SALT,然后加MD4,再加SALT,最后加MD5(够BT
了吧)
这样牺牲的是用户的一点时间,但是数据的安全的作用是至关重要
的。
五、畸形MD5算法
这个应该算是我原创了,我拿BBSXP的MD5加密文件为例
md5_FF a, b, c, d, x(k + 0), S11, &HD76AA478
md5_FF d, a, b, c, x(k + 1), S12, &HE8C7B756
md5_FF c, d, a, b, x(k + 2), S13, &H242070DB
md5_FF b, c, d, a, x(k + 3), S14, &HC1BDCEEE
md5_FF a, b, c, d, x(k + 4), S11, &HF57C0FAF
md5_FF d, a, b, c, x(k + 5), S12, &H4787C62A
md5_FF c, d, a, b, x(k + 6), S13, &HA8304613
md5_FF b, c, d, a, x(k + 7), S14, &HFD469501
md5_FF a, b, c, d, x(k + 8), S11, &H698098D8
md5_FF d, a, b, c, x(k + 9), S12, &H8B44F7AF
md5_FF c, d, a, b, x(k + 10), S13, &HFFFF5BB1
md5_FF b, c, d, a, x(k + 11), S14, &H895CD7BE
md5_FF a, b, c, d, x(k + 12), S11, &H6B901122
md5_FF d, a, b, c, x(k + 13), S12, &HFD987193
md5_FF c, d, a, b, x(k + 14), S13, &HA679438E
md5_FF b, c, d, a, x(k + 15), S14, &H49B40821
md5_GG a, b, c, d, x(k + 1), S21, &HF61E2562
md5_GG d, a, b, c, x(k + 6), S22, &HC040B340
md5_GG c, d, a, b, x(k + 11), S23, &H265E5A51
md5_GG b, c, d, a, x(k + 0), S24, &HE9B6C7AA
md5_GG a, b, c, d, x(k + 5), S21, &HD62F105D
md5_GG d, a, b, c, x(k + 10), S22, &H2441453
md5_GG c, d, a, b, x(k + 15), S23, &HD8A1E681
md5_GG b, c, d, a, x(k + 4), S24, &HE7D3FBC8
md5_GG a, b, c, d, x(k + 9), S21, &H21E1CDE6
md5_GG d, a, b, c, x(k + 14), S22, &HC33707D6
md5_GG c, d, a, b, x(k + 3), S23, &HF4D50D87
md5_GG b, c, d, a, x(k + 8), S24, &H455A14ED
md5_GG a, b, c, d, x(k + 13), S21, &HA9E3E905
md5_GG d, a, b, c, x(k + 2), S22, &HFCEFA3F8
md5_GG c, d, a, b, x(k + 7), S23, &H676F02D9
md5_GG b, c, d, a, x(k + 12), S24, &H8D2A4C8A
md5_HH a, b, c, d, x(k + 5), S31, &HFFFA3942
md5_HH d, a, b, c, x(k + 8), S32, &H8771F681
md5_HH c, d, a, b, x(k + 11), S33, &H6D9D6122
md5_HH b, c, d, a, x(k + 14), S34, &HFDE5380C
md5_HH a, b, c, d, x(k + 1), S31, &HA4BEEA44
md5_HH d, a, b, c, x(k + 4), S32, &H4BDECFA9
md5_HH c, d, a, b, x(k + 7), S33, &HF6BB4B60
md5_HH b, c, d, a, x(k + 10), S34, &HBEBFBC70
md5_HH a, b, c, d, x(k + 13), S31, &H289B7EC6
md5_HH d, a, b, c, x(k + 0), S32, &HEAA127FA
md5_HH c, d, a, b, x(k + 3), S33, &HD4EF3085
md5_HH b, c, d, a, x(k + 6), S34, &H4881D05
md5_HH a, b, c, d, x(k + 9), S31, &HD9D4D039
md5_HH d, a, b, c, x(k + 12), S32, &HE6DB99E5
md5_HH c, d, a, b, x(k + 15), S33, &H1FA27CF8
md5_HH b, c, d, a, x(k + 2), S34, &HC4AC5665
md5_II a, b, c, d, x(k + 0), S41, &HF4292244
md5_II d, a, b, c, x(k + 7), S42, &H432AFF97
md5_II c, d, a, b, x(k + 14), S43, &HAB9423A7
md5_II b, c, d, a, x(k + 5), S44, &HFC93A039
md5_II a, b, c, d, x(k + 12), S41, &H655B59C3
md5_II d, a, b, c, x(k + 3), S42, &H8F0CCC92
md5_II c, d, a, b, x(k + 10), S43, &HFFEFF47D
md5_II b, c, d, a, x(k + 1), S44, &H85845DD1
md5_II a, b, c, d, x(k + 8), S41, &H6FA87E4F
md5_II d, a, b, c, x(k + 15), S42, &HFE2CE6E0
md5_II c, d, a, b, x(k + 6), S43, &HA3014314
md5_II b, c, d, a, x(k + 13), S44, &H4E0811A1
md5_II a, b, c, d, x(k + 4), S41, &HF7537E82
md5_II d, a, b, c, x(k + 11), S42, &HBD3AF235
md5_II c, d, a, b, x(k + 2), S43, &H2AD7D2BB
md5_II b, c, d, a, x(k + 9), S44, &HEB86D391
md5_FF d, a, b, c, x(k + 1), S12, &HE8C7B756
md5_FF c, d, a, b, x(k + 2), S13, &H242070DB
md5_FF b, c, d, a, x(k + 3), S14, &HC1BDCEEE
md5_FF a, b, c, d, x(k + 4), S11, &HF57C0FAF
md5_FF d, a, b, c, x(k + 5), S12, &H4787C62A
md5_FF c, d, a, b, x(k + 6), S13, &HA8304613
md5_FF b, c, d, a, x(k + 7), S14, &HFD469501
md5_FF a, b, c, d, x(k + 8), S11, &H698098D8
md5_FF d, a, b, c, x(k + 9), S12, &H8B44F7AF
md5_FF c, d, a, b, x(k + 10), S13, &HFFFF5BB1
md5_FF b, c, d, a, x(k + 11), S14, &H895CD7BE
md5_FF a, b, c, d, x(k + 12), S11, &H6B901122
md5_FF d, a, b, c, x(k + 13), S12, &HFD987193
md5_FF c, d, a, b, x(k + 14), S13, &HA679438E
md5_FF b, c, d, a, x(k + 15), S14, &H49B40821
md5_GG a, b, c, d, x(k + 1), S21, &HF61E2562
md5_GG d, a, b, c, x(k + 6), S22, &HC040B340
md5_GG c, d, a, b, x(k + 11), S23, &H265E5A51
md5_GG b, c, d, a, x(k + 0), S24, &HE9B6C7AA
md5_GG a, b, c, d, x(k + 5), S21, &HD62F105D
md5_GG d, a, b, c, x(k + 10), S22, &H2441453
md5_GG c, d, a, b, x(k + 15), S23, &HD8A1E681
md5_GG b, c, d, a, x(k + 4), S24, &HE7D3FBC8
md5_GG a, b, c, d, x(k + 9), S21, &H21E1CDE6
md5_GG d, a, b, c, x(k + 14), S22, &HC33707D6
md5_GG c, d, a, b, x(k + 3), S23, &HF4D50D87
md5_GG b, c, d, a, x(k + 8), S24, &H455A14ED
md5_GG a, b, c, d, x(k + 13), S21, &HA9E3E905
md5_GG d, a, b, c, x(k + 2), S22, &HFCEFA3F8
md5_GG c, d, a, b, x(k + 7), S23, &H676F02D9
md5_GG b, c, d, a, x(k + 12), S24, &H8D2A4C8A
md5_HH a, b, c, d, x(k + 5), S31, &HFFFA3942
md5_HH d, a, b, c, x(k + 8), S32, &H8771F681
md5_HH c, d, a, b, x(k + 11), S33, &H6D9D6122
md5_HH b, c, d, a, x(k + 14), S34, &HFDE5380C
md5_HH a, b, c, d, x(k + 1), S31, &HA4BEEA44
md5_HH d, a, b, c, x(k + 4), S32, &H4BDECFA9
md5_HH c, d, a, b, x(k + 7), S33, &HF6BB4B60
md5_HH b, c, d, a, x(k + 10), S34, &HBEBFBC70
md5_HH a, b, c, d, x(k + 13), S31, &H289B7EC6
md5_HH d, a, b, c, x(k + 0), S32, &HEAA127FA
md5_HH c, d, a, b, x(k + 3), S33, &HD4EF3085
md5_HH b, c, d, a, x(k + 6), S34, &H4881D05
md5_HH a, b, c, d, x(k + 9), S31, &HD9D4D039
md5_HH d, a, b, c, x(k + 12), S32, &HE6DB99E5
md5_HH c, d, a, b, x(k + 15), S33, &H1FA27CF8
md5_HH b, c, d, a, x(k + 2), S34, &HC4AC5665
md5_II a, b, c, d, x(k + 0), S41, &HF4292244
md5_II d, a, b, c, x(k + 7), S42, &H432AFF97
md5_II c, d, a, b, x(k + 14), S43, &HAB9423A7
md5_II b, c, d, a, x(k + 5), S44, &HFC93A039
md5_II a, b, c, d, x(k + 12), S41, &H655B59C3
md5_II d, a, b, c, x(k + 3), S42, &H8F0CCC92
md5_II c, d, a, b, x(k + 10), S43, &HFFEFF47D
md5_II b, c, d, a, x(k + 1), S44, &H85845DD1
md5_II a, b, c, d, x(k + 8), S41, &H6FA87E4F
md5_II d, a, b, c, x(k + 15), S42, &HFE2CE6E0
md5_II c, d, a, b, x(k + 6), S43, &HA3014314
md5_II b, c, d, a, x(k + 13), S44, &H4E0811A1
md5_II a, b, c, d, x(k + 4), S41, &HF7537E82
md5_II d, a, b, c, x(k + 11), S42, &HBD3AF235
md5_II c, d, a, b, x(k + 2), S43, &H2AD7D2BB
md5_II b, c, d, a, x(k + 9), S44, &HEB86D391
我把它标准的四轮运算调换了下顺序
CODE:
md5_FF a, b, c, d, x(k + 1), S11, &HD76AA478
md5_FF d, a, b, c, x(k + 6), S12, &HE8C7B756
md5_FF c, d, a, b, x(k + 11), S13, &H242070DB
md5_FF b, c, d, a, x(k + 0), S14, &HC1BDCEEE
md5_FF a, b, c, d, x(k + 5), S11, &HF57C0FAF
md5_FF d, a, b, c, x(k + 10), S12, &H4787C62A
md5_FF c, d, a, b, x(k + 15), S13, &HA8304613
md5_FF b, c, d, a, x(k + 4), S14, &HFD469501
md5_FF a, b, c, d, x(k + 9), S11, &H698098D8
md5_FF d, a, b, c, x(k + 14), S12, &H8B44F7AF
md5_FF c, d, a, b, x(k + 3), S13, &HFFFF5BB1
md5_FF b, c, d, a, x(k + 8), S14, &H895CD7BE
md5_FF a, b, c, d, x(k + 13), S11, &H6B901122
md5_FF d, a, b, c, x(k + 2), S12, &HFD987193
md5_FF c, d, a, b, x(k + 7), S13, &HA679438E
md5_FF b, c, d, a, x(k + 12), S14, &H49B40821
md5_GG a, b, c, d, x(k + 0), S21, &HF61E2562
md5_GG d, a, b, c, x(k + 1), S22, &HC040B340
md5_GG c, d, a, b, x(k + 2), S23, &H265E5A51
md5_GG b, c, d, a, x(k + 3), S24, &HE9B6C7AA
md5_GG a, b, c, d, x(k + 4), S21, &HD62F105D
md5_GG d, a, b, c, x(k + 5), S22, &H2441453
md5_GG c, d, a, b, x(k + 6), S23, &HD8A1E681
md5_GG b, c, d, a, x(k + 7), S24, &HE7D3FBC8
md5_GG a, b, c, d, x(k + 8), S21, &H21E1CDE6
md5_GG d, a, b, c, x(k + 9), S22, &HC33707D6
md5_GG c, d, a, b, x(k + 10), S23, &HF4D50D87
md5_GG b, c, d, a, x(k + 11), S24, &H455A14ED
md5_GG a, b, c, d, x(k + 12), S21, &HA9E3E905
md5_GG d, a, b, c, x(k + 13), S22, &HFCEFA3F8
md5_GG c, d, a, b, x(k + 14), S23, &H676F02D9
md5_GG b, c, d, a, x(k + 15), S24, &H8D2A4C8A
md5_HH a, b, c, d, x(k + 0), S31, &HFFFA3942
md5_HH d, a, b, c, x(k + 7), S32, &H8771F681
md5_HH c, d, a, b, x(k + 14), S33, &H6D9D6122
md5_HH b, c, d, a, x(k + 5), S34, &HFDE5380C
md5_HH a, b, c, d, x(k + 12), S31, &HA4BEEA44
md5_HH d, a, b, c, x(k + 3), S32, &H4BDECFA9
md5_HH c, d, a, b, x(k + 10), S33, &HF6BB4B60
md5_HH b, c, d, a, x(k + 1), S34, &HBEBFBC70
md5_HH a, b, c, d, x(k + 8), S31, &H289B7EC6
md5_HH d, a, b, c, x(k + 15), S32, &HEAA127FA
md5_HH c, d, a, b, x(k + 6), S33, &HD4EF3085
md5_HH b, c, d, a, x(k + 13), S34, &H4881D05
md5_HH a, b, c, d, x(k + 4), S31, &HD9D4D039
md5_HH d, a, b, c, x(k + 11), S32, &HE6DB99E5
md5_HH c, d, a, b, x(k + 2), S33, &H1FA27CF8
md5_HH b, c, d, a, x(k + 9), S34, &HC4AC5665
md5_II a, b, c, d, x(k + 5), S41, &HF4292244
md5_II d, a, b, c, x(k + 8), S42, &H432AFF97
md5_II c, d, a, b, x(k + 11), S43, &HAB9423A7
md5_II b, c, d, a, x(k + 14), S44, &HFC93A039
md5_II a, b, c, d, x(k + 1), S41, &H655B59C3
md5_II d, a, b, c, x(k + 4), S42, &H8F0CCC92
md5_II c, d, a, b, x(k + 7), S43, &HFFEFF47D
md5_II b, c, d, a, x(k + 10), S44, &H85845DD1
md5_II a, b, c, d, x(k + 13), S41, &H6FA87E4F
md5_II d, a, b, c, x(k + 0), S42, &HFE2CE6E0
md5_II c, d, a, b, x(k + 3), S43, &HA3014314
md5_II b, c, d, a, x(k + 6), S44, &H4E0811A1
md5_II a, b, c, d, x(k + 9), S41, &HF7537E82
md5_II d, a, b, c, x(k + 12), S42, &HBD3AF235
md5_II c, d, a, b, x(k + 15), S43, &H2AD7D2BB
md5_II b, c, d, a, x(k + 2), S44, &HEB86D391
md5_FF d, a, b, c, x(k + 6), S12, &HE8C7B756
md5_FF c, d, a, b, x(k + 11), S13, &H242070DB
md5_FF b, c, d, a, x(k + 0), S14, &HC1BDCEEE
md5_FF a, b, c, d, x(k + 5), S11, &HF57C0FAF
md5_FF d, a, b, c, x(k + 10), S12, &H4787C62A
md5_FF c, d, a, b, x(k + 15), S13, &HA8304613
md5_FF b, c, d, a, x(k + 4), S14, &HFD469501
md5_FF a, b, c, d, x(k + 9), S11, &H698098D8
md5_FF d, a, b, c, x(k + 14), S12, &H8B44F7AF
md5_FF c, d, a, b, x(k + 3), S13, &HFFFF5BB1
md5_FF b, c, d, a, x(k + 8), S14, &H895CD7BE
md5_FF a, b, c, d, x(k + 13), S11, &H6B901122
md5_FF d, a, b, c, x(k + 2), S12, &HFD987193
md5_FF c, d, a, b, x(k + 7), S13, &HA679438E
md5_FF b, c, d, a, x(k + 12), S14, &H49B40821
md5_GG a, b, c, d, x(k + 0), S21, &HF61E2562
md5_GG d, a, b, c, x(k + 1), S22, &HC040B340
md5_GG c, d, a, b, x(k + 2), S23, &H265E5A51
md5_GG b, c, d, a, x(k + 3), S24, &HE9B6C7AA
md5_GG a, b, c, d, x(k + 4), S21, &HD62F105D
md5_GG d, a, b, c, x(k + 5), S22, &H2441453
md5_GG c, d, a, b, x(k + 6), S23, &HD8A1E681
md5_GG b, c, d, a, x(k + 7), S24, &HE7D3FBC8
md5_GG a, b, c, d, x(k + 8), S21, &H21E1CDE6
md5_GG d, a, b, c, x(k + 9), S22, &HC33707D6
md5_GG c, d, a, b, x(k + 10), S23, &HF4D50D87
md5_GG b, c, d, a, x(k + 11), S24, &H455A14ED
md5_GG a, b, c, d, x(k + 12), S21, &HA9E3E905
md5_GG d, a, b, c, x(k + 13), S22, &HFCEFA3F8
md5_GG c, d, a, b, x(k + 14), S23, &H676F02D9
md5_GG b, c, d, a, x(k + 15), S24, &H8D2A4C8A
md5_HH a, b, c, d, x(k + 0), S31, &HFFFA3942
md5_HH d, a, b, c, x(k + 7), S32, &H8771F681
md5_HH c, d, a, b, x(k + 14), S33, &H6D9D6122
md5_HH b, c, d, a, x(k + 5), S34, &HFDE5380C
md5_HH a, b, c, d, x(k + 12), S31, &HA4BEEA44
md5_HH d, a, b, c, x(k + 3), S32, &H4BDECFA9
md5_HH c, d, a, b, x(k + 10), S33, &HF6BB4B60
md5_HH b, c, d, a, x(k + 1), S34, &HBEBFBC70
md5_HH a, b, c, d, x(k + 8), S31, &H289B7EC6
md5_HH d, a, b, c, x(k + 15), S32, &HEAA127FA
md5_HH c, d, a, b, x(k + 6), S33, &HD4EF3085
md5_HH b, c, d, a, x(k + 13), S34, &H4881D05
md5_HH a, b, c, d, x(k + 4), S31, &HD9D4D039
md5_HH d, a, b, c, x(k + 11), S32, &HE6DB99E5
md5_HH c, d, a, b, x(k + 2), S33, &H1FA27CF8
md5_HH b, c, d, a, x(k + 9), S34, &HC4AC5665
md5_II a, b, c, d, x(k + 5), S41, &HF4292244
md5_II d, a, b, c, x(k + 8), S42, &H432AFF97
md5_II c, d, a, b, x(k + 11), S43, &HAB9423A7
md5_II b, c, d, a, x(k + 14), S44, &HFC93A039
md5_II a, b, c, d, x(k + 1), S41, &H655B59C3
md5_II d, a, b, c, x(k + 4), S42, &H8F0CCC92
md5_II c, d, a, b, x(k + 7), S43, &HFFEFF47D
md5_II b, c, d, a, x(k + 10), S44, &H85845DD1
md5_II a, b, c, d, x(k + 13), S41, &H6FA87E4F
md5_II d, a, b, c, x(k + 0), S42, &HFE2CE6E0
md5_II c, d, a, b, x(k + 3), S43, &HA3014314
md5_II b, c, d, a, x(k + 6), S44, &H4E0811A1
md5_II a, b, c, d, x(k + 9), S41, &HF7537E82
md5_II d, a, b, c, x(k + 12), S42, &HBD3AF235
md5_II c, d, a, b, x(k + 15), S43, &H2AD7D2BB
md5_II b, c, d, a, x(k + 2), S44, &HEB86D391
得到的结果也是大不相同的,比如我注册用户为SB,密码是123456
但是我在散列里的值就是CF40527E7F3FE17EA62086A712A3B667
其实有很多种改变的方法,比如改变其中某个数字的值,可以调换一下位置(尽量避免有重复的数,值不要超过15)。
这里提供几个变型MD5页面下载http://ok458888.com/md5.rar
你就拿这个去xmd5,CMD5里面查询吧,查不到就上个字典跑,大概跑上几百年都破不出我的密码。
这样,即使你有我的数据库,你也很难入侵我的网站,当然,首先要防止COOKIE欺骗,你可以加上个随机的session验证。
现在就算你用UPDATA的方法,也进不了我的后台:P
P.S.
还有要提醒的是,现在已经开了一段时间的网站。请不要修改你的MD5算法,因为你目前用户的密码都是以标准MD5保存的,修改后会导致原来的用户登陆不上。推荐新开的网站使用。
如果国内的phpwind和DZ,动易什么的都使用这种畸形MD5算法,得的密码各不相同,我想能够更大程度的保证用户密码信息的安全。
本人才疏学浅,如果您有任何建议,请您告诉我 E-MAIL hackyz@126.com
