DaniWeb Forum Index > Web Development > PHP

Best encyption methods?

Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

« First

Last »

•

Join Date: Jul 2008

Posts: 149

Reputation: mschroeder is on a distinguished road

Solved Threads: 25

mschroeder mschroeder is offline

Offline

Junior Poster

Re: Best encyption methods?

#21

Feb 25th, 2009

hashing and encryption are two different things.
hashes like MD5, SHA1, Whirlpool etc. are one way. There *should* NOT be a way to reverse them.

Encryption however is two way. you can encrypt a string and when decrypted returns the same string.

For hashes I agree with cwarn in the use of whirlpool, but i would have to argue that salting the string to be hashed prior to running it through whirlpool, would be just as strong as double hashing the string, but would require less cpu work. You could also make it infinitely harder by generating a random salt for every password and then storing the salt along with the hashed string in the database.

If the op is interested in encryption I would suggest taking a look at this post in the php documentation using the mcrypt library. http://us2.php.net/manual/en/functio...pt-encrypt.php

There are also a few different mysql methods for dealing with encryption:
aes_encrypt/aes_decrypt
encode/decode
des_decrypt/des_encrypt

I've worked on projects where for example, passwords needed to be hashed to prevent their snooping by people with access to the database, and also where passwords needed to be encrypted so that support staff could view the password if the user had forgotten it, without having to reset it to a random string or a default password.

Last edited by mschroeder; Feb 25th, 2009 at 10:17 am. Reason: wrong url to php documentation

If you're question/problem is solved don't forget to mark the thread as Solved!

-- Code I post is usually but not always tested. If it is tested it will be against 5.2.12 or 5.3.1

•

Join Date: Dec 2007

Posts: 624

Reputation: OmniX is an unknown quantity at this point

Solved Threads: 10

OmniX

Offline

Practically a Master Poster

Re: Best encyption methods?

#22

Feb 25th, 2009

Salting a password just means inserting a random string in with the password to get a more random hashed?

With the 'whirlpool' string it could just as well as been 'torando' or 'sandstorm' its all customizable depending on the user's preference or are they keyword functions? (as I see whirlpool and crn32 coming up a few times)

"You never stop learning." - OmniX

•

Join Date: Jul 2008

Posts: 149

Reputation: mschroeder is on a distinguished road

Solved Threads: 25

mschroeder mschroeder is offline

Offline

Junior Poster

Re: Best encyption methods?

#23

Feb 25th, 2009

The hash function is a function that allows you to utilize numerous kinds of algorithms. if you run print_r(hash_algos()); it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32

A salt is basically adding a random string(s) to whatever you are encrypting or hashing:

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
<?php
 
$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );
 
echo $sHash;
<?php

$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );

echo $sHash;

so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.

I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
<?php
 
function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
 
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
 
	return $sSalt;
}
 
$sPassword  = 'password';
$sSalt = getSalt();
 
$sHash = hash('whirlpool', $sPassword . $sSalt );
 
//Store  $sHash and $sSalt in the database.
<?php

function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
	
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
	
	return $sSalt;
}

$sPassword  = 'password';
$sSalt = getSalt();

$sHash = hash('whirlpool', $sPassword . $sSalt );

//Store  $sHash and $sSalt in the database.

Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.

Last edited by mschroeder; Feb 25th, 2009 at 11:43 am.

If you're question/problem is solved don't forget to mark the thread as Solved!

-- Code I post is usually but not always tested. If it is tested it will be against 5.2.12 or 5.3.1

•

Join Date: Dec 2007

Posts: 624

Reputation: OmniX is an unknown quantity at this point

Solved Threads: 10

OmniX

Offline

Practically a Master Poster

Re: Best encyption methods?

#24

Feb 25th, 2009

Thankyou for the Informative Post that explains in detail the hash algorithm.
I can go run off that check for the list of algorithms and work off that.
Thanks, Regards X

"You never stop learning." - OmniX

•

Join Date: Apr 2005

Posts: 1,426

Reputation: ShawnCplus is a glorious beacon of light

Solved Threads: 231

ShawnCplus ShawnCplus is offline

Offline

Code Monkey

Re: Best encyption methods?

#25

Feb 25th, 2009

Careful about misleading people. A hash is not encryption. There is no way to decrypt a hash. There is also no such thing as a "dehasher", the only way to "reverse" a hash is to create huge libraries (called rainbow tables) of pre-created hashes and check against them. MD5, SHA1/256/etc are hashes, Vigenere, WEP, etc. are encryption.

GCS d- s+ a-->? C++(++++) UL+++ P+>+++ L+++ E--- W+++
N+ o K w++(---) O? !M- V PS+>++ PE+ Y+ PGP !t- 5? X- R tv+
b+>++ DI+ D G++>+++ e+ h+>++ r y+
PMs asking for help will not be answered, post on the forums. That's what they're there for.

•

Join Date: Dec 2007

Posts: 624

Reputation: OmniX is an unknown quantity at this point

Solved Threads: 10

OmniX

Offline

Practically a Master Poster

Re: Best encyption methods?

#26

Feb 25th, 2009

I am assuming for security, hashing is better than encryption as it is one way where encryption is two way?

Encryption I know how it works normally, not sure if its the same in the php world.

A 'user A' 'encrypts' a password with a key then sends the key and password seperatly to the 'user B' then the user uses the key to decrypt the password?
This how encryption works in php?

"You never stop learning." - OmniX

•

Join Date: Jul 2008

Posts: 149

Reputation: mschroeder is on a distinguished road

Solved Threads: 25

mschroeder mschroeder is offline

Offline

Junior Poster

Re: Best encyption methods?

#27

Feb 25th, 2009

They're two different things that both have different purposes. as I indicated in my first post and as ShawnC again emphasized, encryption and hashing are two different things. You can't compare them on a security level.

If you're question/problem is solved don't forget to mark the thread as Solved!

-- Code I post is usually but not always tested. If it is tested it will be against 5.2.12 or 5.3.1

•

Join Date: Dec 2007

Posts: 624

Reputation: OmniX is an unknown quantity at this point

Solved Threads: 10

OmniX

Offline

Practically a Master Poster

Re: Best encyption methods?

#28

Feb 26th, 2009

I just ran [print_r(hash_algos());]
Now I understand the crc32b, whirlpool,etc but is there like a breakdown table anyone has a link to that lists the character length produced, time to hashed, etc?

Thanks, Regards X

"You never stop learning." - OmniX

•

Join Date: Jul 2008

Posts: 149

Reputation: mschroeder is on a distinguished road

Solved Threads: 25

mschroeder mschroeder is offline

Offline

Junior Poster

Re: Best encyption methods?

#29

Feb 26th, 2009

the registered number of algorithms will vary by system, although in my experience most of them are commonly available. As far as execution time, that would vary drastically depending on the type of hardware your site/system is hosted on.

I would suggest running a quick benchmark on the hash_algos() output.

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
<?php
 
$aAlgos = hash_algos();
$sStringToHash = 'This is a test string';
$sSaltString = 'This is the salt';
 
foreach( $aAlgos as $sAlgoName)
{
	echo 'Algorithm: ' . $sAlgoName . '<br />';
 
	$iStart = microtime(true); //Only valid with PHP5
	$sHashed = hash( $sAlgoName, $sStringToHash . $sSaltString );
	$iEnd = microtime(true);
 
 
	echo 'String Length: ' . strlen( $sHashed ) . '<br />';
	echo 'Hash: ' . $sHashed . '<br />';
	echo 'Total Hashing Time: ' . number_format( ($iEnd - $iStart), 8) . ' seconds';
	echo '<hr />';
 
}
<?php

$aAlgos = hash_algos();
$sStringToHash = 'This is a test string';
$sSaltString = 'This is the salt';

foreach( $aAlgos as $sAlgoName)
{
	echo 'Algorithm: ' . $sAlgoName . '<br />';
	
	$iStart = microtime(true); //Only valid with PHP5
	$sHashed = hash( $sAlgoName, $sStringToHash . $sSaltString );
	$iEnd = microtime(true);
	
	
	echo 'String Length: ' . strlen( $sHashed ) . '<br />';
	echo 'Hash: ' . $sHashed . '<br />';
	echo 'Total Hashing Time: ' . number_format( ($iEnd - $iStart), 8) . ' seconds';
	echo '<hr />';

}

It is crude but should give you a fairly accurate idea of how long its taking your system to run a single hash. I'm not certain if there are other factors that would skew this benchmark or not as I'm not familiar with the internals behind the hash() function.

Last edited by mschroeder; Feb 26th, 2009 at 12:55 am.

If you're question/problem is solved don't forget to mark the thread as Solved!

-- Code I post is usually but not always tested. If it is tested it will be against 5.2.12 or 5.3.1

•

Join Date: Sep 2007

Posts: 1,538

Reputation: cwarn23 has a spectacular aura about

Solved Threads: 137

cwarn23

Offline

Posting Virtuoso

Re: Best encyption methods?

#30

Feb 26th, 2009

•

Originally Posted by mschroeder

The hash function is a function that allows you to utilize numerous kinds of algorithms. if you run print_r(hash_algos()); it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32

A salt is basically adding a random string(s) to whatever you are encrypting or hashing:
Help with Code Tags

php Syntax (Toggle Plain Text)
<?php
 
$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );
 
echo $sHash;
<?php $sSalt = '8*S&AsEc4qUs'; $sHash = hash( 'whirlpool', $sString . $sSalt ); echo $sHash;
so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.

I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:
Help with Code Tags

php Syntax (Toggle Plain Text)
<?php
 
function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
 
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
 
	return $sSalt;
}
 
$sPassword  = 'password';
$sSalt = getSalt();
 
$sHash = hash('whirlpool', $sPassword . $sSalt );
 
//Store  $sHash and $sSalt in the database.
<?php function getSalt( $iLength = 10 ) { $sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|'; $iPossibleCount = strlen( $sPossible ); $sSalt = ''; for( $i=0; $i<$iLength; $i++ ) { $sSalt .= $sPossible[mt_rand(0, $iPossibleCount)]; } return $sSalt; } $sPassword = 'password'; $sSalt = getSalt(); $sHash = hash('whirlpool', $sPassword . $sSalt ); //Store $sHash and $sSalt in the database.
Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.

If you really want a salt before or after the hash then one of the following functions might suit you:

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool','asdf'.$hashzzz.'jklh'));
}
 
== or if really worried ==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',hash('crc32b',$hashzzz).$hashzzz.'jklh'));
}
 
== or if really worried and want another idea==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',strlen($hashzzz).'18'.$hashzzz.'jklh'));
}
 
==or if really worried and want yet another idea==
function salthash($hashzzz) {
$varzzz=4*strlen($hashzzz);
return hash('crc32b',hash('whirlpool','6'.$varzzz.'18'.$hashzzz.'jklh'));
}
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool','asdf'.$hashzzz.'jklh'));
}

== or if really worried ==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',hash('crc32b',$hashzzz).$hashzzz.'jklh'));
}

== or if really worried and want another idea==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',strlen($hashzzz).'18'.$hashzzz.'jklh'));
}

==or if really worried and want yet another idea==
function salthash($hashzzz) {
$varzzz=4*strlen($hashzzz);
return hash('crc32b',hash('whirlpool','6'.$varzzz.'18'.$hashzzz.'jklh'));
}

And if you think the crackers are really good you could even make your own type of hash with regex. So there are plenty of ideas out there. And the above are just a few easy examples. Tonight I might try and test some of the scripts on this topic to see what is the fastest. Maybe we could have a competition of the most secure and fastest hash mechinism.

Try not to bump 10 year old threads as it can be really annoying.
http://syntax.cwarn23.net/
Smilies: ^_* +_+ v_v -_- *~*`
My favourite PC. - Oopy Doopy Do 2U2!