当前位置: 文江博客话题详情

md5() 函数?

发布于 2024-11-01 21:29:16 字数 309 浏览 1 评论 0原文

可能的重复:
MD5 真的那么糟糕吗?

嗨,

我正在尝试创建一个相当安全的日志在功能上。当我使用 SQL 和 PHP 将用户插入到 MySQL 表中时,我使用 md5() 函数,但是表中出现的字母和数字字符串不是经过加密且相当安全的方式吗?

希望有一些关于创建登录功能的好建议。谢谢!

原文

Possible Duplicate:
Is MD5 really that bad?

Hi,

I'm trying to create a fairly secure log in function. I use the md5() function to when I insert a user into a MySQL table with SQL and PHP, but the string of letters and numbers that appears in the table of that, isn't that encrypted and a fairly secure way?

Would appreciate some good advice to create a log in function. Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

魂牵梦绕锁你心扉 2024-11-08 21:29:16

MD5不是加密,而是散列。哈希函数并非设计为可逆的,但尽管其长度固定,但其输出被假定为相对唯一,因此如果您使用 SHA-1 或 SHA-2 (MD5) 等加密安全函数,那么它是安全存储密码的一种好方法。不再是加密安全的)。

MD5 is not encryption, it's hashing. A hashing function is not designed to be reversed, but its output is assumed to be relatively unique despite its fixed length so it's a good way to securely store passwords, if you use a cryptographically secure one like SHA-1 or SHA-2 (MD5 is no longer cryptographically secure).

回复 原文
溺深海 2024-11-08 21:29:16

是的,这就是您看到的哈希值。如果您使用 md5(),请确保至少使用盐。为每个用户提供可变的盐是理想的选择。

我还建议您查看bcrypt。它比其他哈希函数慢得多,并且也更安全。

另一个选择是 PHP 的 crypt 函数。

这个问题有一些支持和反对某些哈希/加密方法的答案。您也应该检查一下:How do you use bcrypt for hashing passwords in PHP?

如果您不过,通过 HTTP 发送用户密码。因此,请确保您也设置了 HTTPS 和 SSL。并强制执行强密码! (免责声明 - 有些人反对强制使用强密码,因为这会激怒用户。您必须做出决定)

Yes, that's the hash you're seeing. If you're using md5() make sure to at least use a salt. A variable salt for each user would be ideal.

I would also suggest you look into bcrypt. It's much slower than other hash functions and is more secure as well.

Another option is PHP's crypt function.

This SO question has a few answers for and against some hashing/encryption methods. You should check that out as well : How do you use bcrypt for hashing passwords in PHP?

All this will be for naught if you send user passwords over HTTP though. So make sure you have HTTPS and SSL setup as well. And enforce strong passwords! (disclaimer - some people argue against forcing strong passwords because it pisses off users. You will have to decide)

回复 原文
蓝海 2024-11-08 21:29:16

MD5 是一个哈希函数。它的工作原理是使用无法轻易逆转的数学运算。这是存储密码的好方法。对于登录检查,您只需获取使用登录表单提供的密码,也对其应用 MD5 函数,然后比较结果。
不过,请注意:MD5 不再被认为是安全的。请改用 SHA-1 或其他算法。

MD5 is a Hash-Function. It works by using a mathematical operation that cannot be easily reversed. It is a good way to store passwords. For the login-check, you simply take to password provided using the login form, apply the MD5 function to this too, and compare the results.
A word of warning though: MD5 is not considered secure anymore. Use SHA-1 or others instead.

回复 原文
冷…雨湿花 2024-11-08 21:29:16

MD5 散列并不是散列密码的最佳方法,它在几年前就被“破坏”了(逆向工程)。

仅仅对密码进行哈希处理并不是理想的安全级别。使用盐、散列和迭代是。这是我通常创建和存储用户密码的方式:

MySQL 表:

create table `users` (
    `id` int unsigned not null auto_increment,
    ...all user properties...
    `salt` varchar(20) not null,
    `pword` blob not null,
    primary key(`id`)
) default charset=utf8 collate utf8_unicode_ci;

生成新用户并创建密码:

define('SYSTEM_SALT', 'rgcaeg43cg0#3tg_..+g3gg3g'); /* A random system wide salt */
define('ITERATIONS', 1000); /* Number of hashing iterations */
define('KEY_LENGTH', 256); /* Length of the generated hash */

...

$user = new User();

$salt  = PBKDF2::generator(15); /* Salt length is 15 characters */
$pword = PBKDF2::generator(8); /* User password length is 8 characters */

$hashed_pword = PBKDF2::run($pword, SYSTEM_SALT . $salt, ITERATIONS, KEY_LENGTH, PBKDF2::SHA512);

$user->setPassword($hashed_pword);
$user->setSalt($salt);
/* Set the rest of the user properties */

最后,神奇的地方是 PBKDF2 类实现:

class PBKDF2 {
    const SHA256 = 'sha256';
    const SHA512 = 'sha512';
    const TIGER  = 'tiger192,4';
    const RIPEMD = 'ripemd256';
    const HAVAL  = 'haval256,5';

    public static function run($password, $salt, $iterations, $key_length, $algorithm) {
        if (!PBKDF2::isAlgorithmAvailable($algorithm))
            throw new PBKDF2Exception("Algorithm not available on your system");

        $key_blocks  = ceil($key_length / strlen(hash($algorithm, null, true)));
        $derived_key = '';

        for ($block = 1; $block <= $key_blocks; $block++) {
            $current = $initial = hash_hmac($algorithm, $salt . pack('N', $block), $password, true);
            for ($i = 1; $i < $iterations; $i++) {
                $current ^= ($initial = hash_hmac($algorithm, $initial, $password, true));
            }

            $derived_key .= $current;
        }

        return substr($derived_key, 0, $key_length);
    }

    public static function isAlgorithmAvailable($algorithm) {
        return in_array($algorithm, hash_algos());
    }

    public static function generator($length = 8) {
        $chars  = 'abcdefghijklmnopqrstuvwxyz0123456789?!_:;,.ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?!_:;,.';
        $buffer = '';

        for ($i = 0; $i < intval($length); $i++) {
            $buffer .= $chars[mt_rand(0, strlen($chars) - 1)];
        }

        return $buffer;
    }
}

PBKDF 意味着 基于密码的密钥派生函数,是 PKCS 标准的一部分。上面的类使用 PHP 中的 SHA 512 哈希实现(或您想要的算法)和合并的两个盐对密码进行 1000 次哈希处理(您当然可以更高)。这样你就可以非常安全地防止彩虹表查找,这是破解散列密码的标准方法。

正如您所看到的,我还为用户生成了一个密码,这当然可以是非自动生成的,而是让用户选择自己的密码。

MD5 hashes are not the best way to hash passwords, it became "broken" (reversed engineered) years ago.

And just hashing a password is not a desirable security level. Using salts, hashing and iterations is. Here's the way I usually create and store a user password:

MySQL table:

create table `users` (
    `id` int unsigned not null auto_increment,
    ...all user properties...
    `salt` varchar(20) not null,
    `pword` blob not null,
    primary key(`id`)
) default charset=utf8 collate utf8_unicode_ci;

Generating a new user and creating a password:

define('SYSTEM_SALT', 'rgcaeg43cg0#3tg_..+g3gg3g'); /* A random system wide salt */
define('ITERATIONS', 1000); /* Number of hashing iterations */
define('KEY_LENGTH', 256); /* Length of the generated hash */

...

$user = new User();

$salt  = PBKDF2::generator(15); /* Salt length is 15 characters */
$pword = PBKDF2::generator(8); /* User password length is 8 characters */

$hashed_pword = PBKDF2::run($pword, SYSTEM_SALT . $salt, ITERATIONS, KEY_LENGTH, PBKDF2::SHA512);

$user->setPassword($hashed_pword);
$user->setSalt($salt);
/* Set the rest of the user properties */

And finally, where the magic happens, the PBKDF2 class implementation:

class PBKDF2 {
    const SHA256 = 'sha256';
    const SHA512 = 'sha512';
    const TIGER  = 'tiger192,4';
    const RIPEMD = 'ripemd256';
    const HAVAL  = 'haval256,5';

    public static function run($password, $salt, $iterations, $key_length, $algorithm) {
        if (!PBKDF2::isAlgorithmAvailable($algorithm))
            throw new PBKDF2Exception("Algorithm not available on your system");

        $key_blocks  = ceil($key_length / strlen(hash($algorithm, null, true)));
        $derived_key = '';

        for ($block = 1; $block <= $key_blocks; $block++) {
            $current = $initial = hash_hmac($algorithm, $salt . pack('N', $block), $password, true);
            for ($i = 1; $i < $iterations; $i++) {
                $current ^= ($initial = hash_hmac($algorithm, $initial, $password, true));
            }

            $derived_key .= $current;
        }

        return substr($derived_key, 0, $key_length);
    }

    public static function isAlgorithmAvailable($algorithm) {
        return in_array($algorithm, hash_algos());
    }

    public static function generator($length = 8) {
        $chars  = 'abcdefghijklmnopqrstuvwxyz0123456789?!_:;,.ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?!_:;,.';
        $buffer = '';

        for ($i = 0; $i < intval($length); $i++) {
            $buffer .= $chars[mt_rand(0, strlen($chars) - 1)];
        }

        return $buffer;
    }
}

PBKDF means Password Based Key Derivation Function, and is a part of the PKCS standards. The class above hashes the password 1000 times (you could of course go higher), with the SHA 512 hash implementation in PHP (or your desierable algorithm) and two salts that were merged. This way you should be very secure against rainbow table lookups, which is the standard way of cracking a hashed password.

As you can see I also generate a password for the users, this could of course be non-autogenerated and instead let the users pick their own passwords.

回复 原文
抚你发端 2024-11-08 21:29:16

我认为在撰写本文时尚未明确说明的是,使用散列函数存在第三方生成预散列随机数和字母或常用密码和名称的大量索引的问题。如果您的数据库每次都被破坏,那么您的哈希值肯定会与这些查找表进行比较,并可能猜测它们是否在其中。他们所需要的只是管理员密码的一次幸运匹配。

这些预先计算的哈希查找表的术语通常被称为“彩虹表”,

这可以通过使用随机字符序列对哈希值加盐来有效避免,因此每个密码都会添加一些内容,从而减少了它已经被预先计算的可能性。在查找表中计算并索引。如果需要,可以为每个用户生成该“盐”。

What I believe that has not been explicitly stated at the time of writing this, is that the use of a hashing function has the issue of third parties generating massive indexes of pre-hashed random numbers and letters, or commonly used passwords and names. If your database were every to be breached, most certainly your hashes would be compared to these lookup tables and possibly guessed if they were in there. All they would need is a single lucky match of the administrator's password.

The term for these pre-computed hash lookup tables is generally dubbed "Rainbow tables"

This can be avoided effectively by salting your hashes with a random sequence of characters, therefor each password has something added to it reducing the possibility it has already been pre-computed and indexed in a lookup table. This "salt" can be generated for every user if need be.

回复 原文
~没有更多了~

关于作者

耳钉梦

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lorenzathorton8

文章 0 评论 0

Zero

文章 0 评论 0

萧瑟寒风

文章 0 评论 0

mylayout

文章 0 评论 0

tkewei

文章 0 评论 0

17818769742

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文