Hacking Book | Free Online Hacking Learning


design the correct posture of safe account system

Posted by forbes at 2020-02-27


Recently, there is a virtual practice project, which involves the design of system security, so I have made a deeper understanding of security. I found many interesting things and broadened my horizon. I checked some information in the middle, so I plan to reorganize it, and say how to design a safe system in a more gradual way that everyone can understand.

Famous security incidents

First of all, let's take a look at the well-known event of password disclosure after the database crash in recent years:

In addition to password disclosure events, data is also physically deleted:

In May 2015, Ctrip and app were paralyzed, and the database was physically deleted and the suspected resigned employees retaliated.

So many large companies and websites have been attacked to disclose user information, let alone other small websites. These attacks can be prevented technically, but we can see that even large companies are so weak in terms of security.

Prevention method

The method of prevention is simply to say that the data should be kept in the right posture from the moment when the user's keyboard is knocked out to the background storage of the server. For example:

Save the password in the right posture

This step is very important and complicated. The user enters the password in the browser and transmits it to the server for verification. The server compares the previously saved password information with the user's input.

1. Low level error: save password in clear text

The lowest security is to save the user's password in plaintext on the server side. Once the server is invaded, the data is dragged away (dragged Library), and the passwords of all users are directly exposed. This is the first step and there is no security. If you register an account in a website or forum, the website will automatically send an email to tell you that the registration is successful, in which your password is clearly written, change the password quickly and then do not visit the website again.

2. Low level error: reversible encryption password

Since you can't save the password in clear text, it's encrypted. Play a little smart, for example, save the letters of the password backwards, or save one letter after each letter, or conduct exclusive or confusing processing. On the surface, the password can't seem to see what the original password is, but in fact, it's not fundamentally different from the password saved in plain text, because since hackers can invade your server, they can naturally get your encryption code, As long as you simply decrypt according to your algorithm, you can get the original password.

3. Error method: MD5 encryption password

When I was a beginner, I was told that I could not save the password in the first two ways. At that time, the mainstream method was to use MD5 encryption password. (it's a long time ago. It's not mainstream now.) MD5 is an irreversible encryption method, that is, the original password cannot be decrypted after the password is encrypted by MD5. The way to verify whether the password is correct is to compare the results of MD5 secret stored in the database after the password MD5 is encrypted by the user. In this way, the server can also verify the user password without knowing the real user password.

This is the early mainstream practice, however, it is still very unsafe. Because as long as we enumerate all short passwords for MD5 encryption and make an index table, we can easily reverse the original password. The pre calculated table used to reverse the cryptographic hash function is the rainbow table. With the "rainbow table" growing, MD5 encryption has become very insecure. In October 2015, the password disclosure of Netease email was also suspected to only encrypt the password with MD5.

4. Correct method: add salt hash to save password

Adding salt hash refers to not only hashing the password, but also adjusting the oil and vinegar, adding salt and then encrypting the password. On the one hand, because of the salt you put, it makes the password longer and stronger, and the rainbow table is more difficult to reverse. Because of the salt you put, it makes hackers have more computation and more difficult to crack.

How to add salt is a very important knowledge. MD5 is a hash algorithm. Let's take MD5 as an example. If the password is 123456, the result of MD5 is as follows:

A simple password like 123456 is easy to reverse. But if we add some salt to the simple code, try:

In the above example, 0dvk is the salt we added. After the addition, the strength of the password is higher, and the difficulty of the rainbow table cracking is increased. Or add salt twice to MD5:


At this point, you will have a question whether it is safer to make MD5 several times or customize some combination methods. In fact, no, since hackers can get the data in the database, they are likely to get your code.

A robust and unbreakable system should be:

Even if the data and all the code are taken away, there is no way to crack the data inside.

This is why we don't need to implement our own encryption algorithm, but use public encryption algorithms, such as RSA, AES, DES, etc. Since there is no guarantee that the encrypted code will not be disclosed, use the public encryption algorithm. As long as you protect the private key information, even if you know my encryption method, it will not help.

In most cases, MD5 (password) + salt encryption is basically OK:

Where is salt coming from? How to set up salt for security. There are several important points:

Since the client also needs to execute salt hash, salt cannot be written directly on the client, but should be obtained dynamically from the server. When the server generates a random salt, it must use a safe random function to prevent the random number from being predicted.

Random functions for language safety:

Even if the salt value is dynamically obtained from the server, it may also be intercepted by the intermediary. At the same time, the process of adding salt hash to the client is quite exposed. A more secure approach is that the client uses JavaScript to add salt hash. After the result is sent to the server, the server adds salt hash or encrypts hash (such as HMAC) to the result again, and then compares it with the result of the database.

加盐 hash 加密 hash

If a higher level of safety is required, consider:

1. Use more secure hash functions to resist collision attacks, such as sha256, SHA512, ripemd, whirlpool.

The results of two different content hashes may be the same. The attacker uses other passwords for collision attack to log in the system without knowing the real password. Using a more secure hash function can reduce this.

2. A CPU intensive hash algorithm can be used to combat brute force cracking, such as pbkdf2 or bcrypt.

Brute force is to enumerate all possible passwords for verification. Using a large number of CPU consuming hash algorithm can greatly increase the time of brute force.

3. When comparing the results of MD5 with salt, the comparison function with constant time is used.

When comparing two strings, they are usually compared one character at a time. If a character does not match, it will be returned immediately. The attacker can judge whether the first few characters are correct according to the length of validation, and then gradually correct them to get the correct result.

Therefore, when comparing hashes, using a constant time comparison function can confuse the attacker. For example, the following code:

private static boolean slowEquals(byte[] a, byte[] b) { int diff = a.length ^ b.length; for(int i = 0; i < a.length && i < b.length; i++) diff |= a[i] ^ b[i]; return diff == 0; }

Exclusive or (^) operation can be used to determine whether two characters are equal, for example:

0 XOR 0 = 0 1 XOR 1 = 0 0 XOR 1 = 1 1 XOR 0 = 1

The above function enumerates each character for exclusive or judgment, and then takes or calculates all the results to get the final result. The comparison time is constant.

4. The value of salt should not exist in the same database as the final hash result.

SQL injection is a common means of attack, after being injected, the data in the database is exposed. Therefore, the salt should be stored separately and stored in the database of other machines, so that the attacker can't get the salt and can't easily crack the information.

5. The final stored results use key based hash functions, such as HMAC. Key is obtained from exclusive services with high external security.

With this layer of reinforcement, even if the data is dragged to the database, the attacker cannot push back the original password from the hash result. Because the encrypted hash function is used. When the key based hash function only performs hash operation, it needs to pass in a key in addition to the original content. It is almost impossible for an attacker to decrypt the data without a key.

The key can be stored in the general key management system with high security. The key can be transmitted using encryption protocol to verify the visitors. Only specific machines are allowed to access.

Transfer data with correct posture

When using HTTP protocol to transmit data, the data is transmitted in clear text. The data may be hijacked or tampered from sending to receiving by the server. For example, common DNS hijacking, HTTP hijacking, man in the middle attack.

The purpose of data transmission with correct posture is to ensure the safety of data transmission, which can be simply summarized into two points:

1. Verify the validity of the server

Public key encryption and digital signature technology are mentioned in the book "nine algorithms to change the future", which is the basic technical guarantee for secure communication. This involves encryption technology. First, understand two basic concepts:

Asymmetric encryption is the foundation to verify the validity of the server. RSA and ECC are the common encryption algorithms. The server generates a pair of public key and private key. The public key is known to all. When the client needs to communicate with the server, the public key is used for data encryption. Because only the real and legal server has the corresponding private key, and only the real server can decrypt the information. When the data is returned to the client, the public key generated by the client is used for data encryption Encryption, so that the data can only be understood by the corresponding client.

When using HTTPS, the digital certificate contains the name and public key information. As long as the certificate is legal and the other party can understand the information encrypted by the public key, it can be determined to be a legal server.

2. Ensure the safety of communication

Since the use of asymmetric encryption can ensure the secure communication between the two sides, is it OK to use asymmetric encryption to transmit data all the time? Theoretically, it is possible, but the efficiency of asymmetric encryption is much lower than that of symmetric encryption. The common way is to negotiate a symmetric encryption key that only two sides know through asymmetric encryption.

Even in the insecure communication environment, we can negotiate a symmetric encryption key that only two sides know. In the book "nine algorithms to change the future", there is a classic example of how to exchange keys (in the case that all communication is transparent, how to negotiate a pigment color that only you and Arnold know) :

Ecdh is a key exchange algorithm designed based on the above principle:

After the key is negotiated, both parties can use the key for encrypted transmission, such as AES and des.

Because the ecdh key exchange protocol does not verify the identity of the public key sender, it cannot prevent the man in the middle attack. If the listener Mallory intercepts Alice's public key, he can replace it with his own and send it to Bob. Mallory can also intercept Bob's public key, replace it with his own, and send it to Alice. In this way, Mallory can easily decrypt any message sent between Alice and Bob. He can change the message, re encrypt it with his own key, and send it to the receiver.

The solution is that Alice and Bob can sign the public key with a digital signature before exchanging the public key.

Even if the attacker cannot decrypt the transferred content, replay attacks can be used to attempt authentication or to spoof the system. Replay attack means that the attacker intercepts the packet and sends it again to the target host.

The main methods of defending replay attack are as follows:

HTTPS just uses the above principle to ensure the security of communication. Therefore, any system with security requirements should use HTTPS. If it is developed using its own protocol, such as app or game, the above methods should be used to ensure the security of communication.

Encrypt sensitive information with correct posture

As we all know, the user's password cannot be saved in clear text, and the irreversible encryption algorithm should be used. Only the final hash result is saved to verify whether it is correct. What about other sensitive information of users? Such as ID card, bank card, credit card and other information, how to encrypt and save without being disclosed?

For the ID card information, you can only save the hash results like a password, which can be used for the user to enter the ID card number for verification. If need to show ID card information to user, need to save to erase only a few digit ID card number.

If your system involves payment, the user 's bank card, credit card (card number, CVV code) and other information must follow the PCI DSS (data security standards for the third party payment industry) standard. PCI DSS is developed by the founding members of PCI Security Standards Committee (visa, MasterCard, American Express, discover financial services, JCB, etc.), striving to adopt consistent data security measures internationally, including security management, policy, process, network architecture, list of software design requirements, etc., so as to comprehensively guarantee transaction security.

If it is only a bank card, it also needs to follow the ADSS (account information security management standard of UnionPay card acquirer).

In March 2014, Ctrip disclosed the user's bank card information because it did not comply with PCI DSS standards.

Backup and monitor data with correct posture

In May 2015, Ctrip data was deleted, which is an example of data backup not done well. Data backup is to prevent data loss due to hard disk damage or human damage. The main measures are: disk raid, physical backup (Tape Library), remote logical backup. At the same time, the authority control shall be done well, and the visit records shall be monitored, problems shall be found in time, and on-site evidence shall be retained.


This paper summarizes the basic principles and methods of designing a security system, and does not give a specific scheme. Because different systems have different requirements for security, designers should design according to the characteristics of their own systems. For example, the specific implementation method of salt addition hash, how to construct salt value, etc.

If there are any inaccuracies or controversies in the contents of this article, please point out.


Common encryption algorithms:

Difference between DES, 3DES and AES:

Reference articles