PHP RSS PHP RSS

Best encyption methods?

Reply
« First 3 4 5 Last »

Join Date: Dec 2007
Posts: 608
Reputation: OmniX is an unknown quantity at this point 
Solved Threads: 8
OmniX's Avatar
OmniX OmniX is offline Offline
Practically a Master Poster

Re: Best encyption methods?

 
0
  #31
Feb 26th, 2009
Nice loop and good information!

Ok I think I have everything now to start my encryption, wait i mean hashing :p

Any helpful additional information would be much appreciated

Thankyou everyone for your helpful input, Regards X

PS: cwarn23 I now have a better understanding of your function and it looks great, thanks again.
Last edited by OmniX; Feb 26th, 2009 at 1:12 am.
"You never stop learning." - OmniX
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 3,744
Reputation: nav33n is a jewel in the rough nav33n is a jewel in the rough nav33n is a jewel in the rough 
Solved Threads: 330
Moderator
Featured Poster
nav33n's Avatar
nav33n nav33n is offline Offline
Senior Poster

Re: Best encyption methods?

 
0
  #32
Feb 26th, 2009
Maybe we could have a competition of the most secure and fastest hash mechinism.
Unless we have an extremely talented hacker who can decypher hashes in minutes (or hours), we wont be able to know which is the most secure hashing mechanism. IMO, All these above posted functions are secure
Ignorance is definitely not bliss!

*PM asking for help will be ignored*
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 148
Reputation: mschroeder is on a distinguished road 
Solved Threads: 25
mschroeder mschroeder is offline Offline
Junior Poster

Re: Best encyption methods?

 
0
  #33
Feb 26th, 2009
the thing with hashes, is that they SHOULD NOT be able to be reversed. If the intention was to reverse it then it would be encryption.

Generally when i read about weak hashes being cracked its because of a design flaw in the algorithm, which contains math way above my head. Or someone has created a lookup table of common dictionary words, which is where salting the hashed string comes into play because even common words and combinations are no longer common.

I'd also be curious to see some comparative benchmarks regarding hashing a string once using a randomly generated salt as i provided, where the cpu intensity will be in the salt generation vs using a static salt(s) and then double hashing the string or any of the other methods cwarn provided.

If someone posts their test code and results, i'd be happy to run them on a handful of drastically different servers and post those results as well.
If you're question/problem is solved don't forget to mark the thread as Solved!

-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
Reply With Quote Quick reply to this message  
Join Date: May 2008
Posts: 524
Reputation: Will Gresham is on a distinguished road 
Solved Threads: 86
Sponsor
Will Gresham's Avatar
Will Gresham Will Gresham is offline Offline
Posting Pro

Re: Best encyption methods?

 
0
  #34
Feb 26th, 2009
Very informative

I will remember this one for future reference. Rep+ for you all
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
Reply With Quote Quick reply to this message  
Join Date: Sep 2007
Posts: 1,444
Reputation: cwarn23 has a spectacular aura about cwarn23 has a spectacular aura about cwarn23 has a spectacular aura about 
Solved Threads: 135
cwarn23's Avatar
cwarn23 cwarn23 is offline Offline
Nearly a Posting Virtuoso

Re: Best encyption methods?

 
0
  #35
Feb 26th, 2009
I have just done a quick test on some of the different types of hash methods used in the article and the script is as follows:
php Syntax (Toggle Plain Text) 
  1. <?
  2. function truehash_a($hashzzz) {
  3. return hash('crc32b',hash('whirlpool',$hashzzz));
  4. }
  5.  
  6. function salthash_a($hashzzz) {
  7. return hash('crc32b',hash('whirlpool','asdf'.$hashzzz.'jklh'));
  8. }
  9.  
  10. function salthash_b($hashzzz) {
  11. return hash('crc32b',hash('whirlpool',hash('crc32b',$hashzzz).$hashzzz.'jklh'));
  12. }
  13.  
  14. function salthash_c($hashzzz) {
  15. return hash('crc32b',hash('whirlpool',strlen($hashzzz).'18'.$hashzzz.'jklh'));
  16. }
  17.  
  18. function salthash_d($hashzzz) {
  19. $varzzz=4*strlen($hashzzz);
  20. return hash('crc32b',hash('whirlpool','6'.$varzzz.'18'.$hashzzz.'jklh'));
  21. }
  22.  
  23. function salthash_e($hashzzz) {
  24. $sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
  25. $iPossibleCount = strlen( $sPossible );
  26.  
  27. $sSalt = '';
  28. for( $i=0; $i<$iLength; $i++ )
  29.     {
  30.     $sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
  31.     }
  32.  
  33. $sHash = hash('whirlpool', $hashzzz . $sSalt);
  34. }
  35.  
  36.  
  37. //=======================
  38. $time_start = microtime(true);
  39. truehash_a('absdefghijklmnopqrstuvwxyz');
  40. $time_end = microtime(true);
  41. $time = $time_end - $time_start;
  42. $time=$time*1000;
  43. $time=preg_replace('/([0-9]+)\./','0.00$1',$time);
  44.  
  45. echo "truehash_a() takes $time seconds to execute.<br>\n";
  46. unset($time_start);
  47. unset($time_end);
  48. unset($time);
  49.  
  50.  
  51. //- - - - - - - - - - - -
  52. $time_start = microtime(true);
  53. salthash_a('absdefghijklmnopqrstuvwxyz');
  54. $time_end = microtime(true);
  55. $time = $time_end - $time_start;
  56. $time=$time*1000;
  57. $time=preg_replace('/([0-9]+)\./','0.00$1',$time);
  58.  
  59. echo "salthash_a() takes $time seconds to execute.<br>\n";
  60. unset($time_start);
  61. unset($time_end);
  62. unset($time);
  63.  
  64.  
  65. //- - - - - - - - - - - -
  66. $time_start = microtime(true);
  67. salthash_b('absdefghijklmnopqrstuvwxyz');
  68. $time_end = microtime(true);
  69. $time = $time_end - $time_start;
  70. $time=$time*1000;
  71. $time=preg_replace('/([0-9]+)\./','0.00$1',$time);
  72.  
  73. echo "salthash_b() takes $time seconds to execute.<br>\n";
  74. unset($time_start);
  75. unset($time_end);
  76. unset($time);
  77.  
  78.  
  79. //- - - - - - - - - - - -
  80. $time_start = microtime(true);
  81. salthash_c('absdefghijklmnopqrstuvwxyz');
  82. $time_end = microtime(true);
  83. $time = $time_end - $time_start;
  84. $time=$time*1000;
  85. $time=preg_replace('/([0-9]+)\./','0.00$1',$time);
  86.  
  87. echo "salthash_c() takes $time seconds to execute.<br>\n";
  88. unset($time_start);
  89. unset($time_end);
  90. unset($time);
  91.  
  92.  
  93. //- - - - - - - - - - - -
  94. $time_start = microtime(true);
  95. salthash_d('absdefghijklmnopqrstuvwxyz');
  96. $time_end = microtime(true);
  97. $time = $time_end - $time_start;
  98. $time=$time*1000;
  99. $time=preg_replace('/([0-9]+)\./','0.00$1',$time);
  100.  
  101. echo "salthash_d() takes $time seconds to execute.<br>\n";
  102. unset($time_start);
  103. unset($time_end);
  104. unset($time);
  105.  
  106.  
  107. //- - - - - - - - - - - -
  108. $time_start = microtime(true);
  109. salthash_e('absdefghijklmnopqrstuvwxyz');
  110. $time_end = microtime(true);
  111. $time = $time_end - $time_start;
  112. $time=$time*1000;
  113. $time=preg_replace('/([0-9]+)\./','0.00$1',$time);
  114.  
  115. echo "salthash_e() takes $time seconds to execute. (mschroeder's hasher)\n";
  116. unset($time_start);
  117. unset($time_end);
  118. unset($time);
  119.  
  120. ?>
The above code outputs something simular to the following:
PHP Syntax (Toggle Plain Text) 
  1. truehash_a() takes 0.0000791549682617 seconds to execute.
  2. salthash_a() takes 0.0000507831573486 seconds to execute.
  3. salthash_b() takes 0.0000548362731934 seconds to execute.
  4. salthash_c() takes 0.0000519752502441 seconds to execute.
  5. salthash_d() takes 0.0000441074371338 seconds to execute.
  6. salthash_e() takes 0.0000419616699219 seconds to execute. (mschroeder's hasher)
  7.  
And it turns out that if you add a fixed salt before and after the script it will speed up the script. So below is an example of a faster version of my truehash() function
php Syntax (Toggle Plain Text) 
  1. function truehash($hashzzz) {
  2. return hash('crc32b',hash('whirlpool','asdf'.$hashzzz.'jklh'));
  3. }
  4. //the above function in the results is salthash_a()
Don't know why it speeds up but it just does. Also, you can check the comparison of the various speeds with the various examples and looks like the least secure hash (IMO) that relied on a salt is the fastest. Also another way to make sure that the hash cannot be dehashed (as I call it) by those mainframe computers (1.7TB cpu - 2001 worlds fastest computer), you could just remove half the characters from the hash with the substr() function. I hear a new IBM computer that can handle 100,000,000,000,000,000 floating point operations per second (Also known as Peta-flops) is comming out in 2011. It probably won't need a database to crack a hash as it would have enough cpu to keep on doing random hashes untill it gets the right one. And that I am guessing would only take maybe an hour per group of hashes.
Try not to bump 10 year old threads as it can be really annoying.
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 148
Reputation: mschroeder is on a distinguished road 
Solved Threads: 25
mschroeder mschroeder is offline Offline
Junior Poster

Re: Best encyption methods?

 
0
  #36
Feb 26th, 2009
just did a quick run of these on my local machine:

truehash_a() takes 0.00002598762512207 seconds to execute.
salthash_a() takes 0.000015020370483398 seconds to execute.
salthash_b() takes 0.000015974044799805 seconds to execute.
salthash_c() takes 0.000015974044799805 seconds to execute.
salthash_d() takes 0.000015974044799805 seconds to execute.
salthash_e() takes 0.00002598762512207 seconds to execute. (mschroeder's hasher)

**** These results are from php 5.3.0 the rest of the results will be from 5.2.8 installs

I did have to make one small change though:
php Syntax (Toggle Plain Text) 
  1. function salthash_e($hashzzz) {
  2. $sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
  3. $iPossibleCount = strlen( $sPossible );
  4.  
  5. $sSalt = '';
  6. for( $i=0; $i<10; $i++ )
  7. {
  8. $sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
  9. }
  10.  
  11. $sHash = hash('whirlpool', $hashzzz . $sSalt);
  12. }

the for loop wasn't getting a length to check against so i just hardcoded it to 10.
However I get the same results with the speedup when adding static salts. That is very unexpected. I'll post additional test results from other machines tomorrow.
Last edited by mschroeder; Feb 26th, 2009 at 3:10 am.
If you're question/problem is solved don't forget to mark the thread as Solved!

-- Code I post is usually but not always tested. If it is tested it will be against 5.2.11 or 5.3.0
Reply With Quote Quick reply to this message  
Join Date: Dec 2007
Posts: 608
Reputation: OmniX is an unknown quantity at this point 
Solved Threads: 8
OmniX's Avatar
OmniX OmniX is offline Offline
Practically a Master Poster

Re: Best encyption methods?

 
0
  #37
Feb 26th, 2009
Sounds good keep up the work!

But if they are getting quicker, the more hashing/variables you introduced - it dosent make quite sense?
"You never stop learning." - OmniX
Reply With Quote Quick reply to this message  
Join Date: Sep 2007
Posts: 1,444
Reputation: cwarn23 has a spectacular aura about cwarn23 has a spectacular aura about cwarn23 has a spectacular aura about 
Solved Threads: 135
cwarn23's Avatar
cwarn23 cwarn23 is offline Offline
Nearly a Posting Virtuoso

Re: Best encyption methods?

 
0
  #38
Feb 26th, 2009
But if they are getting quicker, the more hashing/variables you introduced - it dosent make quite sense?
Well what I have pointed out is that with the php interperator, if you just input a variable then it will be slower than inputing a variable and string on each side. Below is an example
php Syntax (Toggle Plain Text) 
  1. hash('whirlpool', 'asdf'.$hashzzz.'jklh');
  2. //above will be faster than below
  3. hash('whirlpool', $hashzzz);
I do not know why that is but it makes a big difference for some odd reason.
Try not to bump 10 year old threads as it can be really annoying.
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
Reply With Quote Quick reply to this message  
Join Date: Sep 2005
Posts: 1,073
Reputation: digital-ether is just really nice digital-ether is just really nice digital-ether is just really nice digital-ether is just really nice 
Solved Threads: 66
Moderator
digital-ether's Avatar
digital-ether digital-ether is offline Offline
Veteran Poster
 
1
  #39
23 Days Ago
Sorry for resurrecting an old thread. But it was referenced recently and I thought I'd add to it.

crc32b should not be used with passwords as it is an insecure hash function.
http://en.wikipedia.org/wiki/Cyclic_redundancy_check

It also generates hashes that are only 8 hexadecimal (base 16) digits long. Thus you have less then 16^8 possible hashes. (or less then 10 digits decimal)

A simple brute force such as:

php Syntax (Toggle Plain Text) 
  1. $hash = hash('crc32b', hash('whirlpool', 'some password ^#d@C~'));
  2. while($hash != hash('crc32b', $n)) { $n++; }
  3. echo $n;

will produce a collision for any crc32b hash within an hour on an average PC. Using crc32b basically makes the original hashing function (whirlpool in this example) useless.

Whirlpool produces a 128 digit hexadecimal. Thus you should keep the whole hash in order to preserve its effectiveness against attacks. Rehashing a whirlpool hash with another hash that produces a shorter hash probably isn't a good idea. If you're doing it to save space, there are better alternatives.
http://www.bucabay.com/php/base-conv...php-radix-255/

You should also always salt passwords before hashing to make rainbow tables (and other precomputation attacks) unfeasible.
http://en.wikipedia.org/wiki/Rainbow_table

A rainbow table, is just a list of possible passwords, and their corresponding hashes. So it can be thought of as a simple database table with one column for the password, and the other for its hash. However, generating all the possible passwords for longer passwords, and more characters, requires a lot of space. So rainbow tables use a time-space trade off to save space. This however makes the generation of these tables computationally expensive. So if you salt a password, you effectively make it long enough that it would be infeasible to generate a rainbow table for it.

You should use a salt that makes precomputation attacks infeasible.
Currently rainbow tables with up to 14 characters length are common so more then 14 characters at minimum for a salt. There is no reason not to use a salt say 128 characters long with a password hashed with whirlpool.

Wordpress API generates some good salts: http://api.wordpress.org/secret-key/1.1/

Lastly, you need to make sure brute force is infeasible. A salt only works against precomputation attacks. With brute force, a known salt, does not hinder the attack at all.

Example:
For simplicity lets say only digits can be used for passwords:

php Syntax (Toggle Plain Text) 
  1. $password = '123456789';
  2. $salt = 'some really long random salt';
  3. $hash = hash('whirlpool', $password.$salt );

Now, even though the password is salted before hashing, we still have the problem that we can't rely on hiding the salt, so we have to consider it known. We also can't rely on the password being more then 10 digits, since most people do not remember such long passwords.
Thus a simple brute force on a single machine will still crack the password within an hour or two.

php Syntax (Toggle Plain Text) 
  1. $salt = 'some really long random salt';
  2. while($hash != hash('whirlpool', $n.$salt )) { $n++; }

The only difference between a password of just digits in this example, and one of actual characters is that characters have a larger base, but it doesn't really change much considering most passwords will be a smaller set of the 26 alphabetic characters.

There are a few ways to thwart this. One is key stretching.
http://en.wikipedia.org/wiki/Key_strengthening

This is to hash the password and seed over and over in order to make a brute force N times slower, where in is the number of repeated hashing.

eg:

php Syntax (Toggle Plain Text) 
  1. $password = '123456789';
  2. $salt = 'some really long random salt';
  3. $i = 1000;
  4. while($i--) {
  5.     $password = hash('whirlpool', $password.$salt ); 
  6. }
  7. $hash = $password;

This makes a brute force at least 1000 time slower.

What to note is that the slower your login is, the better. You can afford to wait a few milliseconds or seconds longer, but an attacker cannot.

The other solution is to use a computationally intensive hashing function such as bcrypt. http://www.usenix.org/events/usenix9...tml/node1.html

Sources:
http://chargen.matasano.com/chargen/...w-about-s.html
http://www.freerainbowtables.com/
http://www.codinghorror.com/blog/archives/000949.html
http://en.wikipedia.org/wiki/Cyclic_redundancy_check
http://en.wikipedia.org/wiki/Cryptog..._hash_function
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Reply With Quote Quick reply to this message  
Join Date: Sep 2007
Posts: 1,444
Reputation: cwarn23 has a spectacular aura about cwarn23 has a spectacular aura about cwarn23 has a spectacular aura about 
Solved Threads: 135
cwarn23's Avatar
cwarn23 cwarn23 is offline Offline
Nearly a Posting Virtuoso
 
0
  #40
23 Days Ago
code will produce a collision for any crc32b hash within an hour on an average PC.
That is true with any hashing function and that is what makes crc32 so good. It stores a large amount of data in minimum space with minimum recourses still with the concept. If however you are after uniqueness then all of the hash functions are no good and the following code will need to be used.
php Syntax (Toggle Plain Text) 
  1. <?php
  2. function hash_string($string,$extrachars='',$mixsault=true) {
  3.     $str=array();
  4.     if (strlen($string)>3) {
  5.         $len=floor(strlen($string)/2);
  6.         if ($mixsault==false) {
  7.             $long=str_split(substr($string,0,$len).$extrachars.substr($string,$len),1);
  8.             } else {
  9.             $string=substr($string,0,$len).$extrachars.substr($string,$len);
  10.             $long=str_split($string,1);
  11.             }
  12.         } else {
  13.         $long=str_split($string.$extrachars,1);
  14.         }
  15.     for ($i=0;isset($long[$i]);$i++) {
  16.         if (!isset($charconvert[$long[$i]])) {
  17.             $charconvert[$long[$i]]=true;
  18.             }
  19.         }
  20.     if ($mixsault==false) {
  21.         ksort($charconvert);
  22.         }
  23.     $i=2;
  24.     foreach ($charconvert AS $key=>$val) {
  25.         $charconvert[$key]=$i++;
  26.         }
  27.     $amount=count($charconvert);
  28.     unset($long);
  29.     $arr=str_split($string,2);
  30.     while (!empty($arr[0]) || $arr[0]===0) {
  31.         for ($i=0;isset($arr[$i]);$i++) {
  32.             $char=str_split($arr[$i],1);
  33.             $arr[$i]='';
  34.             if (empty($charconvert[$char[1]])) {
  35.             $tmp=1; } else {
  36.             $tmp=$charconvert[$char[1]];
  37.             }
  38.  
  39.             $v=(($charconvert[$char[0]]*$tmp)+32+($amount-$tmp));
  40.             if ($v<256) {
  41.                 $str[]=chr($v);
  42.                 } else {
  43.                 $str[]=$char[0];
  44.                 $arr[$i]=$char[1];
  45.                 $arr=implode('',$arr);
  46.                 unset($arr);
  47.                 $arr=str_split($arr,2);
  48.                 unset($arrs);
  49.                 }
  50.             unset($v,$tmp);
  51.             }
  52.         }
  53.     unset($arr,$char,$charconvert);
  54.     return implode('',$str);
  55.     }
  56.  
  57. echo hash_string('This is to be hashed','this is like a sault',false); //outputs:  >–7FÊ3:JŽR
  58. echo hash_string('This is to be hashed','this is like a sault',false); //outputs:  >–7FÊ3:JŽR
  59. echo hash_string('This is to be hashed','this is like a sault',true);  //outputs:  1=BF^@=BFN‘jG½ftjF:Ä
  60. echo hash_string('This is to be hashed','this is like a sault',true);  //outputs:  1=BF^@=BFN‘jG½ftjF:Ä
  61. echo hash_string('This is to be hashed');                              //outputs:  .:?C[XaA7—
  62. echo hash_string('This is to be hashed');                              //outputs:  .:?C[XaA7—
  63. echo hash_string('This is to be hashed','',false);                     //outputs:  ;ƒ4?™07G{O
  64. echo hash_string('This is to be hashed','',false);                     //outputs:  ;ƒ4?™07G{O
  65. ?>
So truly a custom hash function is the ONLY way to prevent collisions and to have better security.
Try not to bump 10 year old threads as it can be really annoying.
Like php then read my website at http://syntax.cwarn23.net/
Star-Trek-Atlantis - now that's what I call a movie ^_^
My favourite PC. - MacGyver Fan
Bad english note: dis-iz-2b4u
Reply With Quote Quick reply to this message  
Reply
« First 3 4 5 Last »

Quick Reply to Thread
Message:



Other Threads in the PHP Forum
Thread Tools Search this Thread



advanced apache api array basics beginner binary broken cakephp checkbox class cms code codingproblem combobox cookies cron curl database date datepart display dynamic echo email error file files folder form forms function functions google head href htaccess html image include includingmysecondfileinthechain insert ip javascript job joomla js limit link login mail menu mlm mobile multiple mysql oop outofmemmory paging parse password paypal pdf php problem procedure query radio random recursion remote return script search server sessions smarty sms source space sql stored syntax system table traffic tutorial unicode up-to-date update upload url validation validator variable video web webapplications websitecontactform youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC