 |  |  |  |  |  |  |  |
Best encyption methods?
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
•
•
Join Date: Sep 2005
Posts: 1,075
Reputation: 
Solved Threads: 66
0
#41 29 Days Ago
•
•
•
•
Originally Posted by cwarn23 
That is true with any hashing function and that is what makes crc32 so good. It stores a large amount of data in minimum space with minimum recourses still with the concept. If however you are after uniqueness then all of the hash functions are no good and the following code will need to be used.
....
So truly a custom hash function is the ONLY way to prevent collisions and to have better security.
There is nothing wrong with SHA256, Whirlpool etc. are designed to be secure thus they should be used to hash passwords.
It would be very hard to develop a secure hashing algorithm. You'd have to be contributing a lot to security in order to develop a hashing algorithm that is better then the current ones.
As far as collisions go, it is impossible not to have but in practice they do not occur for a sufficiently large hash like those generated with whirlpool.
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
•
•
Join Date: Sep 2007
Posts: 1,473
Reputation:
Solved Threads: 136
0
#42 29 Days Ago
•
•
•
•
There is nothing wrong with SHA256, Whirlpool etc. are designed to be secure thus they should be used to hash passwords.
Try not to bump 10 year old threads as it can be really annoying.
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
•
•
Join Date: Sep 2005
Posts: 1,075
Reputation:
Solved Threads: 66
0
#43 29 Days Ago
•
•
•
•
Originally Posted by cwarn23
Are you kidding, no hash is secure unless you hash the hash. If you type in "dehasher" in google my website comes up on the first page "global programming syntax" and with my website, sha1, crc23 and crc23b will have a reverse lookup to at least 4 digits. My database is being populated each day with millions of results and will upload the database late November. So currently the database is not publicly viewable but will be soon and I have plans to expand it to a monster database as I have made the database structure efficient for mysql query lookup. So with plans like mine, no hash is secure as long as it follows a standard format. That's why you hash the hash or use a custom hashing function.
You cannot save all the hashes from SHA256 or Whirlpool in a database, or even SHA1.
If you take SHA1 for example, which generates a 160 bit hash, then to store all the possible hashes would require about:
PHP Syntax (Toggle Plain Text)
or in PHP:
php Syntax (Toggle Plain Text)
(multiplied by 2 since the inputs will take up as much space as the hashes)
You can take away 7 decimal points (8*10^6) in order to get the number of gigs which is around 10^43 Gigs. (10 with 43 zeros)
So it isn't possible to save that amount in a MySQL database. Thus the need for rainbow tables.
If you do the same thing for SHA256 which produces a 256 bit hash like the name suggests then you have to save ~10^72 Gigs.
To add to the problem of storage, you cannot compute all the possible hashes on a single PC due to physical constraints. See: http://en.wikipedia.org/wiki/Brute_force_attack
under "Theoretical Limits".
Essentially computing all the possible hashes, is a brute force. (Even though you're saving to DB and doing lookups later, the generation of the DB is through brute force). Any hash function that produces more then 128bit hashes will require a considerable amount of parallelized computing to computing even part of the possible hashes. This is why rainbow tables only cover certain characters and not the full ASCII table. Usually a-zA-Z0-9 and a few special characters.
As an example.
•
•
•
•
The amount of time required to break a 128-bit key is also daunting. Each of the 2128 (340,282,366,920,938,463,463,374,607,431,768,211,456) possibilities must be checked. A device that could check a billion billion keys (1018) per second would still require about 1013 years to exhaust the key space. This is a thousand times longer than the age of the universe, which is about 13,000,000,000 (1.3×1010) years.
AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. A device that could check a billion billion (1018) AES keys per second would require about 3×1051 years to exhaust the 256-bit key space.
SHA256 is produces 256 bit hashes. So you can compare it to trying to brute force a 256 bit cipher key, which is not possible.
The attacks on hashes are based on problems with the way they are generated. For example, not using a salt, makes the input (the password) a very small range. Thus it will lie within the range covered by a rainbow table.
If a salt is used, but the salt is known to the attacker, then they can create a brute force attack, for which the running time will depend only on the complexity of the password, which is normally not complex.
So the main concern is how to hash passwords securely. I've already cited a few links to resources on the topic in my first post in the thread.
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
•
•
Join Date: Sep 2007
Posts: 1,473
Reputation:
Solved Threads: 136
0
#44 28 Days Ago
Sure it may not be possible to store every combination as there are infinit possible hashes due to an infinit length that can be hashed (eg. pi). However, it is still possible to hash at least the first 5 digits and every word from the dictionary. I have a vps for all of this and I have encrypted the hashing data so that it only takes up half the space. I know you may say this is not possible but I am all about doing the impossible and usually I succeed. Also could you give me a reference about rainbow tables as they sound colorful and needed. Currently the technique I'm using is by having 3330 tables each storing a proportion of the data but discovered more would be needed.
Try not to bump 10 year old threads as it can be really annoying.
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
•
•
Join Date: Sep 2005
Posts: 1,075
Reputation:
Solved Threads: 66
0
#45 28 Days Ago
•
•
•
•
Originally Posted by cwarn23
Sure it may not be possible to store every combination as there are infinit possible hashes due to an infinit length that can be hashed (eg. pi). However, it is still possible to hash at least the first 5 digits and every word from the dictionary. I have a vps for all of this and I have encrypted the hashing data so that it only takes up half the space. I know you may say this is not possible but I am all about doing the impossible and usually I succeed. Also could you give me a reference about rainbow tables as they sound colorful and needed. Currently the technique I'm using is by having 3330 tables each storing a proportion of the data but discovered more would be needed.
You're right, you don't need to store all the hashes, such as what rainbow tables do
http://en.wikipedia.org/wiki/Rainbow_table
Or special hash indexes probably similar to your approach:
http://www.sha1-lookup.com/
http://tools.benramsey.com/md5/
http://gdataonline.com/seekhash.php
etc.
None of these (precomputation attacks) will work on a salted password as I mentioned before.
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
•
•
Join Date: Apr 2009
Posts: 281
Reputation:
Solved Threads: 2
Posting Whiz in Training
1
#46 24 Days Ago
one time i made a password encryption with pure php it went like this:
$password = sha1($password);
$password = md5($password);
$password = ENCRYPTED!
$password = sha1($password);
$password = md5($password);
$password = ENCRYPTED!
•
•
Join Date: Sep 2007
Posts: 1,473
Reputation:
Solved Threads: 136
0
#47 24 Days Ago
•
•
•
•
Originally Posted by SKANK!!!!!
one time i made a password encryption with pure php it went like this:
$password = sha1($password);
$password = md5($password);
$password = ENCRYPTED!
But other than that, great way of explaining what I was talking about earlier on. Try not to bump 10 year old threads as it can be really annoying.
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
•
•
Join Date: Apr 2009
Posts: 281
Reputation:
Solved Threads: 2
Posting Whiz in Training
0
#48 24 Days Ago
im pretty sure that is ok o use just sha1 being its a forty char long encryption.
•
•
Join Date: Nov 2009
Posts: 22
Reputation:
Solved Threads: 4
Newbie Poster
0
#49 24 Days Ago
An awesome thread 
Some amazing bits of advise here.
I guess it depends on the application. For basic login systems which don't protect sensitive data, something like a double-hashed randomly salted string (with sha1()) will work fine.
Some amazing bits of advise here.I guess it depends on the application. For basic login systems which don't protect sensitive data, something like a double-hashed randomly salted string (with sha1()) will work fine.
Devoted Hosting
High Quality Shared And Reseller Hosting
cPanel, 24/7 support, 99.9% uptime guaranteed
High Quality Shared And Reseller Hosting
cPanel, 24/7 support, 99.9% uptime guaranteed
•
•
Join Date: Apr 2009
Posts: 281
Reputation:
Solved Threads: 2
Posting Whiz in Training
0
#50 24 Days Ago
i dont understand how to do randomly salted.
|
Other Threads in the PHP Forum
- Previous Thread: Upcoming Events script (Free or Commercial)...?
- Next Thread: div tag + iframe
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest PHP Posts
- Today's Posts
- Unanswered Threads
apache api array beginner binary body broken buttons cakephp checkbox class cms code cron curl database date date/time display dynamic ebooks echo email error file files folder form forms function functions global google href htaccess html image include insert ip javascript joomla limit link list login mail mediawiki menu mlm msqli_multi_query multiple mycodeisbad mysql number oop parameter paypal pdf php phpincludeissue phpmyadmin problem query radio random recursion regex remote script search seo server sessions sms source sp space speed sql static subdomain syntax system table tag tutorial update upload url validator variable vbulletin video web webdesign white wordpress xml youtube
