preface

This article introduces how to design a relatively secure account system through hashing related applications.

Usage scenarios

At present, there are security problems in the design of account system of many applications in the market. Even many apps directly send the user password to the server for verification in plain text, so that it is easy to know the user’s real password through packet capture analysis. So how do you design your password to be relatively secure? Here’s how to use hash in passwords.

Application of hashing

  • Encryption of user passwords
  • Copyright authentication
  • A digital signature
  • Search engine keyword

Encryption of user passwords

Common hash algorithms are MD5 SHA1 SHA256 SHA512

Common encryption schemes:

  • Use MD5 directly
  • MD5 salt
  • HMAC encryption scheme

Here we analyze the security through different schemes:

Use MD5 directly

This method hashes the plaintext password directly to get a ciphertext string, so it looks like the password is encrypted, but if the plaintext password is too simple, you can also find the original password by looking up the hash value of the password in a website’s massive database. Here’s one website :www.cmd5.com

For example, we now have a password in plain text: 594518655

Check the md5 value is: 5 bd8dd4f65205c5eb4dc9ded5f7a0cb6

We looked through the website:

It can be seen that the password obtained by md5 hash is still not secure enough

MD5 salt

We in clear text password above plus a fixed string then md5 encryption, this will improve the safety of certain cmd5 website also provides the corresponding salt search conditions are deduced password, after the test, salt too simple really can get the result, salt, the more complex the safety degree is higher, but once the fixed string known will be safe enough.

HMAC encryption scheme

HMAC is a key related Hash operation message authentication code. It is a method of message authentication based on Hash function and key. It uses a key used for encryption and performs two hashes. Take a look at the use of HMAC in the login system:

The registration process

1. When a user registers an account, the client first sends the userName to the server. The server determines whether the account has been registered according to userName.

2. The server returns the key value to the client

3. After receiving the key value, the client hashes the user password into a hash value using HMAC and sends the hash value together with the userName to the server. The server stores the userName, key, password hash value and other information.

The login process

  1. The client first sends the user name to the server to verify whether the user name exists and whether the current device (unique device IDENTIFIER) has the permission to log in to the account.

  2. The server checks whether the user name exists and whether the device has the login permission. If both exist, the server sends the key to the client. The client saves the key value and the user name locally for the next login.

  3. The client encrypts the user’s password into a hash using the key value HMAC, plus a timestamp (accurate to minutes) for time synchronization from the server, and then hashes the result to the server again reuslt = hash(HMAC + TIMESTAMP).

  4. The server obtains the result and compares the HMAC+ local timestamp in the database (error tolerance is 1 minute, the current minute may not match, or the request may be sent in x minutes and 59 seconds) with the data sent by the client. If the data is the same, the login succeeds

This improves security by ensuring that logon request data is limited to a single period of time at a time.

conclusion

Using HMAC to encrypt user passwords ensures the dynamic and timeliness of each login data and enhances the security of data transmission over the network.