 |  |  |  |  |  |  |  |
Best encyption methods?
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
hashing and encryption are two different things.
hashes like MD5, SHA1, Whirlpool etc. are one way. There *should* NOT be a way to reverse them.
Encryption however is two way. you can encrypt a string and when decrypted returns the same string.
For hashes I agree with cwarn in the use of whirlpool, but i would have to argue that salting the string to be hashed prior to running it through whirlpool, would be just as strong as double hashing the string, but would require less cpu work. You could also make it infinitely harder by generating a random salt for every password and then storing the salt along with the hashed string in the database.
If the op is interested in encryption I would suggest taking a look at this post in the php documentation using the mcrypt library. http://us2.php.net/manual/en/functio...pt-encrypt.php
There are also a few different mysql methods for dealing with encryption:
aes_encrypt/aes_decrypt
encode/decode
des_decrypt/des_encrypt
I've worked on projects where for example, passwords needed to be hashed to prevent their snooping by people with access to the database, and also where passwords needed to be encrypted so that support staff could view the password if the user had forgotten it, without having to reset it to a random string or a default password.
hashes like MD5, SHA1, Whirlpool etc. are one way. There *should* NOT be a way to reverse them.
Encryption however is two way. you can encrypt a string and when decrypted returns the same string.
For hashes I agree with cwarn in the use of whirlpool, but i would have to argue that salting the string to be hashed prior to running it through whirlpool, would be just as strong as double hashing the string, but would require less cpu work. You could also make it infinitely harder by generating a random salt for every password and then storing the salt along with the hashed string in the database.
If the op is interested in encryption I would suggest taking a look at this post in the php documentation using the mcrypt library. http://us2.php.net/manual/en/functio...pt-encrypt.php
There are also a few different mysql methods for dealing with encryption:
aes_encrypt/aes_decrypt
encode/decode
des_decrypt/des_encrypt
I've worked on projects where for example, passwords needed to be hashed to prevent their snooping by people with access to the database, and also where passwords needed to be encrypted so that support staff could view the password if the user had forgotten it, without having to reset it to a random string or a default password.
Last edited by mschroeder; Feb 25th, 2009 at 10:17 am. Reason: wrong url to php documentation
If you're question/problem is solved don't forget to mark the thread as Solved!
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
•
•
Join Date: Dec 2007
Posts: 608
Reputation: 
Solved Threads: 8
Practically a Master Poster
Salting a password just means inserting a random string in with the password to get a more random hashed?
With the 'whirlpool' string it could just as well as been 'torando' or 'sandstorm' its all customizable depending on the user's preference or are they keyword functions? (as I see whirlpool and crn32 coming up a few times)
With the 'whirlpool' string it could just as well as been 'torando' or 'sandstorm' its all customizable depending on the user's preference or are they keyword functions? (as I see whirlpool and crn32 coming up a few times)
"You never stop learning." - OmniX
The hash function is a function that allows you to utilize numerous kinds of algorithms. if you run
A salt is basically adding a random string(s) to whatever you are encrypting or hashing:
so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.
I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:
Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.
print_r(hash_algos()); it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32A salt is basically adding a random string(s) to whatever you are encrypting or hashing:
php Syntax (Toggle Plain Text)
so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.
I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:
php Syntax (Toggle Plain Text)
Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.
Last edited by mschroeder; Feb 25th, 2009 at 11:43 am.
If you're question/problem is solved don't forget to mark the thread as Solved!
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
•
•
Join Date: Dec 2007
Posts: 608
Reputation:
Solved Threads: 8
Practically a Master Poster
Thankyou for the Informative Post that explains in detail the hash algorithm.
I can go run off that check for the list of algorithms and work off that.
Thanks, Regards X
I can go run off that check for the list of algorithms and work off that.
Thanks, Regards X
"You never stop learning." - OmniX
Careful about misleading people. A hash is not encryption. There is no way to decrypt a hash. There is also no such thing as a "dehasher", the only way to "reverse" a hash is to create huge libraries (called rainbow tables) of pre-created hashes and check against them. MD5, SHA1/256/etc are hashes, Vigenere, WEP, etc. are encryption.
GCS d- s+ a-->? C++(++++) UL+++ P+>+++ L+++ E--- W+++
N+ o K w++(---) O? !M- V PS+>++ PE+ Y+ PGP !t- 5? X- R tv+
b+>++ DI+ D G++>+++ e+ h+>++ r y+
PMs asking for help will not be answered, post on the forums. That's what they're there for.
N+ o K w++(---) O? !M- V PS+>++ PE+ Y+ PGP !t- 5? X- R tv+
b+>++ DI+ D G++>+++ e+ h+>++ r y+
PMs asking for help will not be answered, post on the forums. That's what they're there for.
•
•
Join Date: Dec 2007
Posts: 608
Reputation:
Solved Threads: 8
Practically a Master Poster
I am assuming for security, hashing is better than encryption as it is one way where encryption is two way?
Encryption I know how it works normally, not sure if its the same in the php world.
A 'user A' 'encrypts' a password with a key then sends the key and password seperatly to the 'user B' then the user uses the key to decrypt the password?
This how encryption works in php?
Encryption I know how it works normally, not sure if its the same in the php world.
A 'user A' 'encrypts' a password with a key then sends the key and password seperatly to the 'user B' then the user uses the key to decrypt the password?
This how encryption works in php?
"You never stop learning." - OmniX
They're two different things that both have different purposes. as I indicated in my first post and as ShawnC again emphasized, encryption and hashing are two different things. You can't compare them on a security level.
If you're question/problem is solved don't forget to mark the thread as Solved!
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
•
•
Join Date: Dec 2007
Posts: 608
Reputation:
Solved Threads: 8
Practically a Master Poster
I just ran [print_r(hash_algos());]
Now I understand the crc32b, whirlpool,etc but is there like a breakdown table anyone has a link to that lists the character length produced, time to hashed, etc?
Thanks, Regards X
Now I understand the crc32b, whirlpool,etc but is there like a breakdown table anyone has a link to that lists the character length produced, time to hashed, etc?
Thanks, Regards X
"You never stop learning." - OmniX
the registered number of algorithms will vary by system, although in my experience most of them are commonly available. As far as execution time, that would vary drastically depending on the type of hardware your site/system is hosted on.
I would suggest running a quick benchmark on the hash_algos() output.
It is crude but should give you a fairly accurate idea of how long its taking your system to run a single hash. I'm not certain if there are other factors that would skew this benchmark or not as I'm not familiar with the internals behind the hash() function.
I would suggest running a quick benchmark on the hash_algos() output.
php Syntax (Toggle Plain Text)
It is crude but should give you a fairly accurate idea of how long its taking your system to run a single hash. I'm not certain if there are other factors that would skew this benchmark or not as I'm not familiar with the internals behind the hash() function.
Last edited by mschroeder; Feb 26th, 2009 at 12:55 am.
If you're question/problem is solved don't forget to mark the thread as Solved!
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
•
•
Join Date: Sep 2007
Posts: 1,440
Reputation:
Solved Threads: 135
•
•
•
•
Originally Posted by mschroeder 
The hash function is a function that allows you to utilize numerous kinds of algorithms. if you runprint_r(hash_algos());it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32
A salt is basically adding a random string(s) to whatever you are encrypting or hashing:
php Syntax (Toggle Plain Text)
so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.
I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:
php Syntax (Toggle Plain Text)
Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.
PHP Syntax (Toggle Plain Text)
Try not to bump 10 year old threads as it can be really annoying.
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
|
Other Threads in the PHP Forum
- Previous Thread: Upcoming Events script (Free or Commercial)...?
- Next Thread: div tag + iframe
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest PHP Posts
- Today's Posts
- Unanswered Threads
.htaccess alerts apache api archive array autocomplete beginner binary broken cakephp checkbox class cms code convert cron curl database dataentry date display duplicates dynamic echo email emptydisplayvalue error execute explodefunction file files firstoptioninphpdroplist folder form forms function functions google hack href htaccess html htmlspecialchars image include insert ip javasciptvalidation javascript joomla keywords limit link login mail matching menu methods mlm multiple mysql network object oop paypal pdf php problem query radio random recursion recursive redirect remote script search securephp server sessions shot sms source space sql subscription syntax system table tutorial tutorials update upload url validator variable video web youtube
