背景:

現(xiàn)在很多公司使用MD5存放用戶密碼，但是當(dāng)摘要過的MD5值泄漏出去后還是有很大可能通過別的方法獲得原文。\

通過以下網(wǎng)站很容易獲得原文
http://www.cmd5.com/
http://pmd5.com/

" 123456 ":e10adc3949ba59abbe56e057f20f883e
"888888":21218cca77804d2ba1922c33e0151105




"123456"的MD5值任何時候生成的都是"e10adc3949ba59abbe56e057f20f883e"

加鹽原理:

給原文加入隨機(jī)數(shù)生成新的MD5值。


同樣的"123456" 每次MD5都是不同值。

實(shí)際操作：

本程序中任意一次加密“123456” 獲得的是:d32007911f3745715fc3534e68535884f901e6cd93b1d962

通過網(wǎng)站查詢原文不成功:

源代碼:

MD5Util

[html]?view plaincopy

package?com.ding.util.md5;??

??

import?java.util.Random;??

import?org.apache.commons.codec.binary.Hex;??

import?java.security.NoSuchAlgorithmException;??

import?java.security.MessageDigest;??

??

/**??

?*?MD5工具類，加鹽??

?*?@author?daniel??

?*?@email?576699909@qq.com??

?*?@time?2016-6-11?下午7:57:36??

?*/??

public?class?MD5Util?{??

??

????/**??

?????*?普通MD5??

?????*?@author?daniel??

?????*?@time?2016-6-11?下午8:00:28??

?????*?@param?inStr??

?????*?@return??

?????*/??

????public?static?String?MD5(String?input)?{??

????????MessageDigest?md5?=?null;??

????????try?{??

????????????md5?=?MessageDigest.getInstance("MD5");??

????????}?catch?(NoSuchAlgorithmException?e)?{??

????????????return?"check?jdk";??

????????}?catch?(Exception?e)?{??

????????????e.printStackTrace();??

????????????return?"";??

????????}??

????????char[]?charArray?=?input.toCharArray();??

????????byte[]?byteArray?=?new?byte[charArray.length];??

??

????????for?(int?i?=?0;?i?<?charArray.length;?i++)??

????????????byteArray[i]?=?(byte)?charArray[i];??

????????byte[]?md5Bytes?=?md5.digest(byteArray);??

????????StringBuffer?hexValue?=?new?StringBuffer();??

????????for?(int?i?=?0;?i?<?md5Bytes.length;?i++)?{??

????????????int?val?=?((int)?md5Bytes[i])?&?0xff;??

????????????if?(val?<?16)??

????????????????hexValue.append("0");??

????????????hexValue.append(Integer.toHexString(val));??

????????}??

????????return?hexValue.toString();??

??

????}??

???

???????

???????

???????

????/**??

?????*?加鹽MD5??

?????*?@author?daniel??

?????*?@time?2016-6-11?下午8:45:04??

?????*?@param?password??

?????*?@return??

?????*/??

????????public?static?String?generate(String?password)?{??

????????????Random?r?=?new?Random();??

????????????StringBuilder?sb?=?new?StringBuilder(16);??

????????????sb.append(r.nextInt(99999999)).append(r.nextInt(99999999));??

????????????int?len?=?sb.length();??

????????????if?(len?<?16)?{??

????????????????for?(int?i?=?0;?i?<?16?-?len;?i++)?{??

????????????????????sb.append("0");??

????????????????}??

????????????}??

????????????String?salt?=?sb.toString();??

????????????password?=?md5Hex(password?+?salt);??

????????????char[]?cs?=?new?char[48];??

????????????for?(int?i?=?0;?i?<?48;?i?+=?3)?{??

????????????????cs[i]?=?password.charAt(i?/?3?*?2);??

????????????????char?c?=?salt.charAt(i?/?3);??

????????????????cs[i?+?1]?=?c;??

????????????????cs[i?+?2]?=?password.charAt(i?/?3?*?2?+?1);??

????????????}??

????????????return?new?String(cs);??

????????}??

??

????????/**??

?????????*?校驗(yàn)加鹽后是否和原文一致??

?????????*?@author?daniel??

?????????*?@time?2016-6-11?下午8:45:39??

?????????*?@param?password??

?????????*?@param?md5??

?????????*?@return??

?????????*/??

????????public?static?boolean?verify(String?password,?String?md5)?{??

????????????char[]?cs1?=?new?char[32];??

????????????char[]?cs2?=?new?char[16];??

????????????for?(int?i?=?0;?i?<?48;?i?+=?3)?{??

????????????????cs1[i?/?3?*?2]?=?md5.charAt(i);??

????????????????cs1[i?/?3?*?2?+?1]?=?md5.charAt(i?+?2);??

????????????????cs2[i?/?3]?=?md5.charAt(i?+?1);??

????????????}??

????????????String?salt?=?new?String(cs2);??

????????????return?md5Hex(password?+?salt).equals(new?String(cs1));??

????????}??

??

????????/**??

?????????*?獲取十六進(jìn)制字符串形式的MD5摘要??

?????????*/??

????????private?static?String?md5Hex(String?src)?{??

????????????try?{??

????????????????MessageDigest?md5?=?MessageDigest.getInstance("MD5");??

????????????????byte[]?bs?=?md5.digest(src.getBytes());??

????????????????return?new?String(new?Hex().encode(bs));??

????????????}?catch?(Exception?e)?{??

????????????????return?null;??

????????????}??

????????}??

??

????????

???????

???????

}??

測試類:

[html]?view plaincopy

package?com.ding.util.md5;??

??

public?class?Zmain?{??

??

????//?測試主函數(shù)??

????public?static?void?main(String?args[])?{??

????????//?原文??

????????String?plaintext?=?"DingSai";??

????//??plaintext?=?"123456";??

????????System.out.println("原始："?+?plaintext);??

????????System.out.println("普通MD5后："?+?MD5Util.MD5(plaintext));??

??

????????//?獲取加鹽后的MD5值??

????????String?ciphertext?=?MD5Util.generate(plaintext);??

????????System.out.println("加鹽后MD5："?+?ciphertext);??

????????System.out.println("是否是同一字符串:"?+?MD5Util.verify(plaintext,?ciphertext));??

????????/**??

?????????*?其中某次DingSai字符串的MD5值??

?????????*/??

????????String[]?tempSalt?=?{?"c4d980d6905a646d27c0c437b1f046d4207aa2396df6af86",?"66db82d9da2e35c95416471a147d12e46925d38e1185c043",?"61a718e4c15d914504a41d95230087a51816632183732b5a"?};??

??

????????for?(String?temp?:?tempSalt)?{??

????????????System.out.println("是否是同一字符串:"?+?MD5Util.verify(plaintext,?temp));??

????????}??

??????????

??????????

??????????

??????????

??????????

??????????

????}??

}??

輸出結(jié)果:

講解:

[html]?view plaincopy

String[]?tempSalt?=?{?"c4d980d6905a646d27c0c437b1f046d4207aa2396df6af86",?"66db82d9da2e35c95416471a147d12e46925d38e1185c043",?"61a718e4c15d914504a41d95230087a51816632183732b5a"?};??

這些值都是多次加鹽md5以后獲得的值。

通過verify和原文校驗(yàn)全部一致。

通過這種方式，可以加大數(shù)據(jù)庫泄露密碼以后被破譯的風(fēng)險(xiǎn)。

源碼：

https://github.com/dingsai88/StudyTest/tree/master/src/com/ding/util/md5

依賴的JAR包

https://github.com/dingsai88/StudyTest/blob/master/lib/commons-codec-1.10.jar

總結(jié)

以上是生活随笔為你收集整理的密码加盐保存的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。