MD5 是否不如 SHA 等安全? 等人。 在实际意义上?
我见过 a 很少 问题和答案表明 MD5 不如 SHA 安全。
我的问题是,在我的情况下值得担心吗?这
是我如何使用它的示例:
- 在客户端,我通过附加来为消息提供“安全”校验和当前时间和密码,然后使用 MD5 对其进行哈希处理。 所以:
MD5(消息+时间+密码)。 - 在服务器端,我根据我所知道的发送时间和客户端密码来检查发送的消息的哈希值。
在此示例中,使用 SHA 而不是 MD5 真的更好吗?
在什么情况下,哈希函数的选择在实际意义上真正很重要?
编辑:
只是为了澄清 - 在我的示例中,转向 SHA 算法有什么好处吗?
换句话说,在此示例中,某人在不知道共享密码的情况下发送消息和正确的哈希值是否可行?
更多编辑:
对重复编辑表示歉意 - 我不清楚我要问的是什么。
I've seen a few questions and answers on SO suggesting that MD5 is less secure than something like SHA.
My question is, Is this worth worrying about in my situation?
Here's an example of how I'm using it:
- On the client side, I'm providing a "secure" checksum for a message by appending the current time and a password and then hashing it using MD5. So:
MD5(message+time+password). - On the server side, I'm checking this hash against the message that's sent using my knowledge of the time it was sent and the client's password.
In this example, am I really better off using SHA instead of MD5?
In what circumstances would the choice of hashing function really matter in a practical sense?
Edit:
Just to clarify - in my example, is there any benefit moving to an SHA algorithm?
In other words, is it feasible in this example for someone to send a message and a correct hash without knowing the shared password?
More Edits:
Apologies for repeated editing - I wasn't being clear with what I was asking.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(11)
是的,在实践中这是值得担心的。 MD5 被严重破坏,研究人员已经能够伪造假证书与证书颁发机构签署的真实证书匹配。 这意味着他们能够创建自己的虚假证书颁发机构,从而可以冒充他们认为完全信任他们的浏览器的任何银行或企业。
现在,他们使用一组 PlayStation 3 花费了大量的时间和精力,花了几周的时间才找到合适的碰撞。 但一旦被破坏,哈希算法只会变得更糟,而永远不会更好。 如果您非常关心安全性,最好选择不间断的哈希算法,例如 之一SHA-2 系列(SHA-1 也已被削弱,但没有 MD5 那样严重)。
编辑:我为您提供的链接中使用的技术涉及能够选择两个任意消息前缀和一个公共后缀,从中它可以为每个前缀生成一个可以插入到之间的数据块该前缀和公共后缀,以生成具有与从另一个前缀构造的消息相同的 MD5 和的消息。 我想不出在您描述的情况下可以利用此特定漏洞的方法,并且一般来说,使用安全的 消息身份验证比使用它进行数字签名更能抵抗攻击,但我可以想到一些您需要注意的漏洞,这些漏洞大多与您选择的哈希无关。
如上所述,您的算法涉及以纯文本形式将密码存储在服务器上。 这意味着您很容易受到任何能够发现服务器上密码的信息泄露攻击。 您可能认为,如果攻击者可以访问您的数据库,那么游戏就结束了,但您的用户可能更希望即使您的服务器受到威胁,他们的密码也不会受到威胁。 由于在线密码激增,许多用户在不同服务中使用相同或相似的密码。 此外,即使代码执行或权限升级攻击不存在,信息泄露攻击也可能发生。
您可以通过将使用随机盐散列的密码存储在服务器上来缓解这种攻击; 您将对存储在服务器上,并将salt发送到客户端,以便客户端可以计算
hash(password+salt)code> 用于代替您提到的协议中的密码。 但是,这并不能保护您免受下一次攻击。如果攻击者可以嗅探从客户端发送的消息,他就可以对客户端的密码进行离线字典攻击。 大多数用户的密码熵相当低,并且一本包含数十万个现有密码的字典加上一些时间的随机排列可以使攻击者通过嗅探消息获得的信息轻松找到密码。
您提出的技术不会对服务器进行身份验证。 我不知道这是否是您正在谈论的网络应用程序,但如果是,那么可以在不安全的无线网络上执行 DNS 劫持攻击或 DHCP 劫持或任何此类攻击的人就可以这样做中间人攻击,他们从您的客户端收集明文密码。
虽然当前针对 MD5 的攻击可能无法针对您所描述的协议起作用,但 MD5 已受到严重损害,并且哈希只会变得更弱,而永远不会更强。 您是否想打赌,您会发现可能针对您的新攻击,并且在攻击者有机会利用它之前有时间升级哈希算法? 从目前比 MD5 更强的东西开始可能会更容易,以减少 MD5 被进一步破坏的可能性。
现在,如果您这样做只是为了确保没有人在论坛或其他地方伪造来自其他用户的消息,那么当然,任何人都不太可能花时间和精力来破坏您所描述的协议。 如果有人真的想冒充其他人,他们可能只需创建一个新的用户名,用 0 代替 O 或使用 Unicode 更类似的名称,甚至不用费心去尝试伪造消息和破坏哈希算法。
如果这用于安全性真正重要的事情,那么就不要发明自己的身份验证系统。 只需使用 TLS/SSL。 密码学的基本规则之一是不要发明自己的规则。 然后,即使对于论坛的情况来说,它可能并不那么重要,使用经过验证的现成的东西不是比自己推出更容易吗?
Yes, it is worth worrying about in practice. MD5 is so badly broken that researchers have been able to forge fake certificates that matched a real certificate signed by a certificate authority. This meant that they were able to create their own fake certificate authority, and thus could impersonate any bank or business they felt like with browsers completely trusting them.
Now, this took them a lot of time and effort using a cluster of PlayStation 3s, and several weeks to find an appropriate collision. But once broken, a hash algorithm only gets worse, never better. If you care at all about security, it would be better to choose an unbroken hash algorithm, such as one of the SHA-2 family (SHA-1 has also been weakened, though not broken as badly as MD5 is).
edit: The technique used in the link that I provided you involved being able to choose two arbitrary message prefixes and a common suffix, from which it could generate for each prefix a block of data that could be inserted between that prefix and the common suffix, to produce a message with the same MD5 sum as the message constructed from the other prefix. I cannot think of a way in which this particular vulnerability could be exploited in the situation you describe, and in general, using a secure has for message authentication is more resistant to attack than using it for digital signatures, but I can think of a few vulnerabilities you need to watch out for, which are mostly independent of the hash you choose.
As described, your algorithm involves storing the password in plain text on the server. This means that you are vulnerable to any information disclosure attacks that may be able to discover passwords on the server. You may think that if an attacker can access your database then the game is up, but your users would probably prefer if even if your server is compromised, that their passwords not be. Because of the proliferation of passwords online, many users use the same or similar passwords across services. Furthermore, information disclosure attacks may be possible even in cases when code execution or privilege escalation attacks are not.
You can mitigate this attack by storing the password on your server hashed with a random salt; you store the pair
<salt,hash(password+salt)>on the server, and send the salt to the client so that it can computehash(password+salt)to use in place of the password in the protocol you mention. This does not protect you from the next attack, however.If an attacker can sniff a message sent from the client, he can do an offline dictionary attack against the client's password. Most users have passwords with fairly low entropy, and a good dictionary of a few hundred thousand existing passwords plus some time randomly permuting them could make finding a password given the information an attacker has from sniffing a message pretty easy.
The technique you propose does not authenticate the server. I don't know if this is a web app that you are talking about, but if it is, then someone who can perform a DNS hijack attack, or DHCP hijacking on an unsecure wireless network, or anything of the sort, can just do a man-in-the-middle attack in which they collect passwords in clear text from your clients.
While the current attack against MD5 may not work against the protocol you describe, MD5 has been severely compromised, and a hash will only ever get weaker, never stronger. Do you want to bet that you will find out about new attacks that could be used against you and will have time to upgrade hash algorithms before your attackers have a chance to exploit it? It would probably be easier to start with something that is currently stronger than MD5, to reduce your chances of having to deal with MD5 being broken further.
Now, if you're just doing this to make sure no one forges a message from another user on a forum or something, then sure, it's unlikely that anyone will put the time and effort in to break the protocol that you described. If someone really wanted to impersonate someone else, they could probably just create a new user name that has a 0 in place of a O or something even more similar using Unicode, and not even bother with trying to forge message and break hash algorithms.
If this is being used for something where the security really matters, then don't invent your own authentication system. Just use TLS/SSL. One of the fundamental rules of cryptography is not to invent your own. And then even for the case of the forum where it probably doesn't matter all that much, won't it be easier to just use something that's proven off the shelf than rolling your own?
在这种特殊情况下,我不认为您的应用程序最薄弱的环节是使用 md5 而不是 sha。 md5 被“破坏”的方式是,给定 md5(K) = V,有可能生成 K' 使得 md5(K') = V,因为输出空间是有限的(不是因为有任何减少搜索空间的技巧)。 然而,K' 不一定是 K。这意味着,如果您知道 md5(M+T+P) = V,则可以生成 P',使得 md5(M+T+P') = V,这给出了有效条目。 然而,在这种情况下,消息仍然保持不变,并且 P 没有受到损害。 如果攻击者尝试伪造具有 T' 时间戳的消息 M',则除非 P' = P,否则 md5(M'+T'+P') = md5(M'+T'+P) 的可能性极小。在这种情况下,他们就会暴力破解密码。 如果他们暴力破解了密码,那么这意味着您使用 sha 还是 md5 并不重要,因为检查是否 md5(M+T+P) = V 相当于检查是否 sha(M+T+P ) = V。(除了 sha 可能需要更长的恒定时间来计算,这不会影响 P 上暴力破解的复杂性)。
然而,如果有选择的话,你真的应该直接使用 sha。 不使用它是没有意义的,除非使用它有严重的缺点。
第二件事是您可能不应该以纯文本形式将用户密码存储在数据库中。 您应该存储密码的哈希值,然后使用它。 在您的示例中,哈希值为:md5(消息 + 时间 + md5(密码)),您可以安全地将 md5(密码) 存储在数据库中。 然而,窃取您的数据库的攻击者(通过 SQL 注入之类的方式)仍然能够伪造消息。 我看不出有什么办法可以解决这个问题。
In this particular case, I don't think that the weakest link your application is using md5 rather than sha. The manner in which md5 is "broken" is that given that md5(K) = V, it is possible to generate K' such that md5(K') = V, because the output-space is limited (not because there are any tricks to reduce the search space). However, K' is not necessarily K. This means that if you know md5(M+T+P) = V, you can generate P' such that md5(M+T+P') = V, this giving a valid entry. However, in this case the message still remains the same, and P hasn't been compromised. If the attacker tries to forge message M', with a T' timestamp, then it is highly unlikely that md5(M'+T'+P') = md5(M'+T'+P) unless P' = P. In which case, they would have brute-forced the password. If they have brute-forced the password, then that means that it doesn't matter if you used sha or md5, since checking if md5(M+T+P) = V is equivalent to checking if sha(M+T+P) = V. (except that sha might take constant time longer to calculate, that doesn't affect the complexity of the brute-force on P).
However, given the choice, you really ought to just go ahead and use sha. There is no sense in not using it, unless there is a serious drawback to using it.
A second thing is you probably shouldn't store the user's password in your database in plain-text. What you should store is a hash of the password, and then use that. In your example, the hash would be of: md5(message + time + md5(password)), and you could safely store md5(password) in your database. However, an attacker stealing your database (through something like SQL injection) would still be able to forge messages. I don't see any way around this.
Brian的回答涵盖了这些问题,但我确实认为需要稍微详细地解释一下
您在这里使用了错误的加密算法
MD5在这里是错误的,Sha1在这里使用是错误的 Sha2xx使用是错误的而Skein的使用是错误的。
您应该使用类似 RSA 的东西。
让我解释:
您的安全哈希有效地将密码发送给全世界。
您提到您的哈希值是“时间+有效负载+密码”,如果第三方获得您的有效负载的副本并知道时间。 它可以找到密码(使用暴力或字典攻击)。 因此,这几乎就像您以明文形式发送密码一样。
相反,您应该查看 公钥加密 让您的服务器发送公钥给您的代理,并让代理使用公钥加密数据。
中间没有人能够知道消息中的内容,也没有人能够伪造消息。
顺便说一句,MD5 非常强大大多数时间。
Brian's answer covers the issues, but I do think it needs to be explained a little less verbosely
You are using the wrong crypto algorithm here
MD5 is wrong here, Sha1 is wrong to use here Sha2xx is wrong to use and Skein is wrong to use.
What you should be using is something like RSA.
Let me explain:
Your secure hash is effectively sending the password out for the world to see.
You mention that your hash is "time + payload + password", if a third party gets a copy of your payload and knows the time. It can find the password (using a brute force or dictionary attack). So, its almost as if you are sending the password in clear text.
Instead of this you should look at a public key cryptography have your server send out public keys to your agents and have the agents encrypt the data with the public key.
No man in the middle will be able to tell whats in the messages, and no one will be able to forge the messages.
On a side note, MD5 is plenty strong most of the time.
这取决于消息内容的价值。 SHA 系列显然比 MD5 更安全(其中“更安全”意味着“更难伪造”),但如果您的消息是 Twitter 更新,那么您可能不在乎。
如果这些消息是处理金融交易的分布式系统的 IPC 层,那么也许您更关心。
更新:我还应该补充一点,这两种摘要算法在很多方面本质上是可以互换的,所以使用更安全的算法真的会带来多少麻烦呢?
更新2:这是一个更彻底的答案:http://www.schneier.com/essay -074.html
It depends on how valuable the contents of the messages are. The SHA family is demonstrably more secure than MD5 (where "more secure" means "harder to fake"), but if your messages are twitter updates, then you probably don't care.
If those messages are the IPC layer of a distributed system that handles financial transactions, then maybe you care more.
Update: I should add, also, that the two digest algorithms are essentially interchangeable in many ways, so how much more trouble would it really be to use the more secure one?
Update 2: this is a much more thorough answer: http://www.schneier.com/essay-074.html
是的,某人可以在不知道共享密码的情况下发送消息和正确的哈希值。 他们只需要找到一个哈希值相同的字符串。
这种情况有多常见? 2007 年,荷兰的一个组织宣布,他们在 MD5 哈希值
如果我没听错的话,这和你的情况是一样的。 只需将“候选人姓名”替换为“秘密密码”即可。 如果您确实想要安全,您可能应该使用不同的哈希函数。
Yes, someone can send a message and a correct hash without knowing the shared password. They just need to find a string that hashes to the same value.
How common is that? In 2007, a group from the Netherlands announced that they had predicted the winner of the 2008 U.S. Presidential election in a file with the MD5 hash value 3D515DEAD7AA16560ABA3E9DF05CBC80. They then created twelve files, all identical except for the candidate's name and an arbitrary number of spaces following, that hashed to that value. The MD5 hash value is worthless as a checksum, because too many different files give the same result.
This is the same scenario as yours, if I'm reading you right. Just replace "candidate's name" with "secret password". If you really want to be secure, you should probably use a different hash function.
如果你要生成一个 hash-mac,就不要发明你的方案。 使用HMAC。 执行 HASH(secret-key || message) 和 HASH(message || Secret-key) 时存在问题。 如果您使用密码作为密钥,您还应该使用密钥派生函数。 看看pbkdf2。
if you are going to generate a hash-mac don't invent your scheme. use HMAC. there are issues with doing HASH(secret-key || message) and HASH(message || secret-key). if you are using a password as a key you should also be using a key derivation function. have a look at pbkdf2.
是的,值得担心在这种情况下使用哪个哈希。 我们先看一下攻击模型。 攻击者可能不仅尝试生成值 md5(M+T+P),还可能尝试查找密码 P。特别是,如果攻击者可以收集值 Mi、T 的元组, i,以及相应的 md5(Mi, Ti, P) 那么他/她可能会尝试找到 P。这个问题还没有'对于哈希函数的研究与查找冲突一样广泛。 我解决这个问题的方法是尝试针对分组密码的相同类型的攻击:例如差分攻击。 由于 MD5 已经非常容易受到差分攻击,我当然可以想象这样的攻击在这里可能会成功。
因此,我建议您在这里使用比 MD5 更强的哈希函数。 我还建议您使用 HMAC 而不是仅使用 md5(M+T+P),因为 HMAC 是针对您描述的情况而设计的,并已进行了相应的分析。
Yes, it is worth to worry about which hash to use in this case. Let's look at the attack model first. An attacker might not only try to generate values md5(M+T+P), but might also try to find the password P. In particular, if the attacker can collect tupels of values Mi, Ti, and the corresponding md5(Mi, Ti, P) then he/she might try to find P. This problem hasn't been studied as extensively for hash functions as finding collisions. My approach to this problem would be to try the same types of attacks that are used against block ciphers: e.g. differential attacks. And since MD5 already highly susceptible to differential attacks, I can certainly imagine that such an attack could be successful here.
Hence I do recommend that you use a stronger hash function than MD5 here. I also recommend that you use HMAC instead of just md5(M+T+P), because HMAC has been designed for the situation that you describe and has accordingly been analyzed.
以这种方式使用 MD5 并没有什么不安全的地方。 MD5 只是在某种意义上被破坏了,有一些算法,给定一堆数据 A 可以生成附加数据 B 以创建所需的哈希值。 这意味着,如果有人知道密码的哈希值,他们就可以生成一个由该哈希值生成的字符串。 不过,这些生成的字符串通常很长,因此如果您将密码限制为 20 或 30 个字符,您仍然可能是安全的。
使用 SHA1 而不是 MD5 的主要原因是 MD5 功能正在被逐步淘汰。 例如,Silverlight .Net 库不包含 MD5 加密提供程序。
There is nothing insecure about using MD5 in this manner. MD5 was only broken in the sense that, there are algorithms that, given a bunch of data A additional data B can be generated to create a desired hash. Meaning, if someone knows the hash of a password, they could produce a string that will result with that hash. Though, these generated strings are usually very long so if you limit passwords to 20 or 30 characters you're still probably safe.
The main reason to use SHA1 over MD5 is that MD5 functions are being phased out. For example the Silverlight .Net library does not include the MD5 cryptography provider.
MD5 比 SHA 提供更多的冲突,这意味着有人实际上可以从不同的单词获得相同的哈希值(但很少)。
SHA家族以其可靠性而闻名,SHA1已成为日常使用的标准,而SHA256/SHA512是政府和银行设备的标准。
对于您的个人网站或论坛,我建议您考虑 SHA1,如果您创建更严肃的商业活动,我建议您使用 SHA256/SHA512(SHA2 系列)
您可以查看有关 MD5 & SHA
MD5 provide more collision than SHA which mean someone can actually get same hash from different word (but it's rarely).
SHA family has been known for it's reliability, SHA1 has been standard on daily use, while SHA256/SHA512 was a standard for government and bank appliances.
For your personal website or forum, i suggest you to consider SHA1, and if you create a more serious like commerce, i suggest you to use SHA256/SHA512 (SHA2 family)
You can check wikipedia article about MD5 & SHA
MD5 和 SHA-1 都存在加密弱点。 MD4 和 SHA-0 也受到损害。
您或许可以安全地使用 MD6、Whirlpool 和 RIPEMD-160。
请参阅普林斯顿大学的以下幻灯片,向下滚动到最后一页。
http://gcu.googlecode.com/files/11Hashing.pdf
Both MD5 amd SHA-1 have cryptographic weaknesses. MD4 and SHA-0 are also compromised.
You can probably safely use MD6, Whirlpool, and RIPEMD-160.
See the following powerpoint from Princeton University, scroll down to the last page.
http://gcu.googlecode.com/files/11Hashing.pdf
我不会评论 MD5/SHA1/等。 问题,所以也许你会认为这个答案没有实际意义,但让我感到非常有趣的是每当使用 MD5 等时。 用于对数据库中的密码进行哈希处理。
如果有人在您的数据库中闲逛,那么他们很可能想查看您的密码哈希值,但他们也很可能想窃取您可能存在于其他表中的个人信息或任何其他数据。 坦率地说,在这种情况下,你还有更大的鱼要煎。
我并不是说忽略这个问题,就像我说的,这对于你是否应该使用 MD5、SHA1 或其他东西来散列你的密码并没有太大影响,但每次我读到这里时,我都会感到有点发痒。有人对数据库中的纯文本密码感到有点不安。
I'm not going to comment on the MD5/SHA1/etc. issue, so perhaps you'll consider this answer moot, but something that amuses me very slightly is whenever the use of MD5 et al. for hashing passwords in databases comes up.
If someone's poking around in your database, then they might very well want to look at your password hashes, but it's just as likely they're going to want to steal personal information or any other data you may have lying around in other tables. Frankly, in that situation, you've got bigger fish to fry.
I'm not saying ignore the issue, and like I said, this doesn't really have much bearing on whether or not you should use MD5, SHA1 or whatever to hash your passwords, but I do get tickled slightly pink every time I read someone getting a bit too upset about plain text passwords in a database.