MD5 secondary encryption application
- When the current terminal transmits the password to the backend, two MD5 encryptions are required. What is the encryption and decryption process during login and registration?
Both front-end and back-end encryption can stipulate that several digits of the password are used as salt for encryption and decryption operations. Only programmers know this conventional salt selection operation, so it is more secure and does not require the front-end and back-end to transmit salt. Or the front-end and back-end developers discuss the first layer of encrypted salt during development, and store it on the front-end and back-end respectively. In this way, the front-end uses md5 and salt to encrypt each time the password is sent. Because the server knows the salt, it can naturally decrypt it.
answer:
- Whether it is registration or login, the first md5 encryption of the password is completed on the front end, and the second encryption is completed on the back end.
- Two salts will be used to encrypt each user's password twice. The first salt is public (shared front and back end), modified by final static, and the second salt is specially generated for each user and stored in the salt field in the database user table (this is to facilitate password verification operations when logging in later).
- Again, MD5 is just a hash, not an encryption. MD5 is not possible to decrypt, because an MD5 may correspond to countless possible plaintexts.
When the user first registers
- The front-end uses global public salt1 to convert inputPass (password entered by the user) into fromPass (transition password), and then pass it to the server.
- The server randomly generates a user-specific salt2, and uses md5 and salt2 to convert fromPass to dbPass (password stored in the database).
- After the conversion is completed, the user's registration information (including the user name and password after secondary encryption) and exclusive salt2 will be stored in the database.
When a user logs in with a username and password
- The front-end will first use the public salt1 to encrypt the inpuPass for the first time, get fromPass and pass it to the server.
- The server finds its corresponding exclusive salt2 and password (the password after the user's second encrypted when the user first registers), and uses this salt2 to encrypt the user's password that has been encrypted by the public salt twice.
- Compare with the password retrieved from the database. If it is consistent, the login will be successful, otherwise the login will fail.
If the password retrieved from the database is decrypted in one layer (that is, the status of the password after the second encryption is restored to the status after the first encryption), why when verifying the password, instead of directly comparing the decrypted password with the encrypted password transmitted from the front end to find out whether the password is correct?
Answer: Because md5 uses hash for encryption, this is an irreversible process. Even if you know the result of hash, it is almost impossible to reversely deduce the input parameters of the hash function, so.
The following is the method to implement md5 encryption on the server. The inputPassToFromPass and inputPassToDBPass methods are only used for testing. In real business scenarios, the password transmitted from the front end can never be a plain text password, but must be the password encrypted by the inputPassToFromPass() method.
import ;
import ;
import ;
/**
* MD5 tool class
*/
@Component
public class MD5Util {
public static String md5(String str) {
return DigestUtils.md5DigestAsHex((StandardCharsets.UTF_8));
}
private static final String salt = "1a2b3c4d";
/**
* First time encryption
**/
public static String inputPassToFromPass(String inputPass) {
// salt can be randomly placed in each part of the password input String str = (0) + (2) + inputPass + (5) + (4);
return md5(str);
}
/**
* For the second encryption, the salt used needs to be regenerated (this salt will be stored in the database and become a property of the user).
**/
public static String formPassToDBPass(String formPass, String salt) {
String str = (0) + (2) + formPass + (5) + (4);
return md5(str);
}
/**
* Encrypt the first and second encryption calls
*/
public static String inputPassToDBPass(String inputPass, String salt) {
String fromPass = inputPassToFromPass(inputPass);
String dbPass = formPassToDBPass(fromPass, salt);
return dbPass;
}
public static void main(String[] args) {
(inputPassToFromPass("123456"));
(formPassToDBPass(inputPassToFromPass("123456"), "abcdefgh"));
(inputPassToDBPass("123456", "abcdefgh"));
}
}This is the end of this article about the application of Java MD5 secondary encryption. For more related Java MD5 secondary encryption content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!