背景:
现在很多公司使用MD5存放用户密码,但是当摘要过的MD5值泄漏出去后还是有很大可能通过别的方法获得原文。\
通过以下网站很容易获得原文
http://www.cmd5.com/
http://pmd5.com/
"888888":21218cca77804d2ba1922c33e0151105
"123456"的MD5值任何时候生成的都是"e10adc3949ba59abbe56e057f20f883e"
加盐原理:
给原文加入随机数生成新的MD5值。同样的"123456" 每次MD5都是不同值。
实际操作:
本程序中任意一次加密“123456” 获得的是:d32007911f3745715fc3534e68535884f901e6cd93b1d962
通过网站查询原文不成功:
源代码:
MD5Util
- package com.ding.util.md5;
- import java.util.Random;
- import org.apache.commons.codec.binary.Hex;
- import java.security.NoSuchAlgorithmException;
- import java.security.MessageDigest;
- /**
- * MD5工具类,加盐
- * @author daniel
- * @email [email protected]
- * @time 2016-6-11 下午7:57:36
- */
- public class MD5Util {
- /**
- * 普通MD5
- * @author daniel
- * @time 2016-6-11 下午8:00:28
- * @param inStr
- * @return
- */
- public static String MD5(String input) {
- MessageDigest md5 = null;
- try {
- md5 = MessageDigest.getInstance("MD5");
- } catch (NoSuchAlgorithmException e) {
- return "check jdk";
- } catch (Exception e) {
- e.printStackTrace();
- return "";
- }
- char[] charArray = input.toCharArray();
- byte[] byteArray = new byte[charArray.length];
- for (int i = 0; i < charArray.length; i++)
- byteArray[i] = (byte) charArray[i];
- byte[] md5Bytes = md5.digest(byteArray);
- StringBuffer hexValue = new StringBuffer();
- for (int i = 0; i < md5Bytes.length; i++) {
- int val = ((int) md5Bytes[i]) & 0xff;
- if (val < 16)
- hexValue.append("0");
- hexValue.append(Integer.toHexString(val));
- }
- return hexValue.toString();
- }
- /**
- * 加盐MD5
- * @author daniel
- * @time 2016-6-11 下午8:45:04
- * @param password
- * @return
- */
- public static String generate(String password) {
- Random r = new Random();
- StringBuilder sb = new StringBuilder(16);
- sb.append(r.nextInt(99999999)).append(r.nextInt(99999999));
- int len = sb.length();
- if (len < 16) {
- for (int i = 0; i < 16 - len; i++) {
- sb.append("0");
- }
- }
- String salt = sb.toString();
- password = md5Hex(password + salt);
- char[] cs = new char[48];
- for (int i = 0; i < 48; i += 3) {
- cs[i] = password.charAt(i / 3 * 2);
- char c = salt.charAt(i / 3);
- cs[i + 1] = c;
- cs[i + 2] = password.charAt(i / 3 * 2 + 1);
- }
- return new String(cs);
- }
- /**
- * 校验加盐后是否和原文一致
- * @author daniel
- * @time 2016-6-11 下午8:45:39
- * @param password
- * @param md5
- * @return
- */
- public static boolean verify(String password, String md5) {
- char[] cs1 = new char[32];
- char[] cs2 = new char[16];
- for (int i = 0; i < 48; i += 3) {
- cs1[i / 3 * 2] = md5.charAt(i);
- cs1[i / 3 * 2 + 1] = md5.charAt(i + 2);
- cs2[i / 3] = md5.charAt(i + 1);
- }
- String salt = new String(cs2);
- return md5Hex(password + salt).equals(new String(cs1));
- }
- /**
- * 获取十六进制字符串形式的MD5摘要
- */
- private static String md5Hex(String src) {
- try {
- MessageDigest md5 = MessageDigest.getInstance("MD5");
- byte[] bs = md5.digest(src.getBytes());
- return new String(new Hex().encode(bs));
- } catch (Exception e) {
- return null;
- }
- }
- }
测试类:
- package com.ding.util.md5;
- public class Zmain {
- // 测试主函数
- public static void main(String args[]) {
- // 原文
- String plaintext = "DingSai";
- // plaintext = "123456";
- System.out.println("原始:" + plaintext);
- System.out.println("普通MD5后:" + MD5Util.MD5(plaintext));
- // 获取加盐后的MD5值
- String ciphertext = MD5Util.generate(plaintext);
- System.out.println("加盐后MD5:" + ciphertext);
- System.out.println("是否是同一字符串:" + MD5Util.verify(plaintext, ciphertext));
- /**
- * 其中某次DingSai字符串的MD5值
- */
- String[] tempSalt = { "c4d980d6905a646d27c0c437b1f046d4207aa2396df6af86", "66db82d9da2e35c95416471a147d12e46925d38e1185c043", "61a718e4c15d914504a41d95230087a51816632183732b5a" };
- for (String temp : tempSalt) {
- System.out.println("是否是同一字符串:" + MD5Util.verify(plaintext, temp));
- }
- }
- }
输出结果:
讲解:
- String[] tempSalt = { "c4d980d6905a646d27c0c437b1f046d4207aa2396df6af86", "66db82d9da2e35c95416471a147d12e46925d38e1185c043", "61a718e4c15d914504a41d95230087a51816632183732b5a" };
通过verify和原文校验全部一致。
通过这种方式,可以加大数据库泄露密码以后被破译的风险。
源码:
https://github.com/dingsai88/StudyTest/tree/master/src/com/ding/util/md5
依赖的JAR包
https://github.com/dingsai88/StudyTest/blob/master/lib/commons-codec-1.10.jar