Ad:

PHP Discussion Thread
Marked Solved
Views: 8372

Previous
1
2
Page 3
4
5
6
7
Next
Last

You are currently viewing page 3 of this multi-page discussion thread; Jump to the first page

Feb 25th, 2009

Re: Best encyption methods?

hashing and encryption are two different things.
hashes like MD5, SHA1, Whirlpool etc. are one way. There *should* NOT be a way to reverse them.

Encryption however is two way. you can encrypt a string and when decrypted returns the same string.

For hashes I agree with cwarn in the use of whirlpool, but i would have to argue that salting the string to be hashed prior to running it through whirlpool, would be just as strong as double hashing the string, but would require less cpu work. You could also make it infinitely harder by generating a random salt for every password and then storing the salt along with the hashed string in the database.

If the op is interested in encryption I would suggest taking a look at this post in the php documentation using the mcrypt library. http://us2.php.net/manual/en/functio...pt-encrypt.php

There are also a few different mysql methods for dealing with encryption:
aes_encrypt/aes_decrypt
encode/decode
des_decrypt/des_encrypt

I've worked on projects where for example, passwords needed to be hashed to prevent their snooping by people with access to the database, and also where passwords needed to be encrypted so that support staff could view the password if the user had forgotten it, without having to reset it to a random string or a default password.

Last edited by mschroeder; Feb 25th, 2009 at 10:17 am. Reason: wrong url to php documentation

mschroeder

Sponsor

Reputation Points: 265

Solved Threads: 126

Practically a Master Poster

Offline

624 posts
since Jul 2008

Permalink

Feb 25th, 2009

Re: Best encyption methods?

Salting a password just means inserting a random string in with the password to get a more random hashed?

With the 'whirlpool' string it could just as well as been 'torando' or 'sandstorm' its all customizable depending on the user's preference or are they keyword functions? (as I see whirlpool and crn32 coming up a few times)

OmniX

Reputation Points: 31

Solved Threads: 10

Practically a Master Poster

Offline

652 posts
since Dec 2007

Permalink

Feb 25th, 2009

Re: Best encyption methods?

The hash function is a function that allows you to utilize numerous kinds of algorithms. if you run print_r(hash_algos()); it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32

A salt is basically adding a random string(s) to whatever you are encrypting or hashing:

php Syntax (Toggle Plain Text)
<?php
 
$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );
 
echo $sHash;
<?php

$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );

echo $sHash;

so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.

I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:

php Syntax (Toggle Plain Text)
<?php
 
function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
 
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
 
	return $sSalt;
}
 
$sPassword  = 'password';
$sSalt = getSalt();
 
$sHash = hash('whirlpool', $sPassword . $sSalt );
 
//Store  $sHash and $sSalt in the database.
<?php

function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
	
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
	
	return $sSalt;
}

$sPassword  = 'password';
$sSalt = getSalt();

$sHash = hash('whirlpool', $sPassword . $sSalt );

//Store  $sHash and $sSalt in the database.

Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.

Last edited by mschroeder; Feb 25th, 2009 at 11:43 am.

mschroeder

Sponsor

Reputation Points: 265

Solved Threads: 126

Practically a Master Poster

Offline

624 posts
since Jul 2008

Permalink

Feb 25th, 2009

Re: Best encyption methods?

Thankyou for the Informative Post that explains in detail the hash algorithm.
I can go run off that check for the list of algorithms and work off that.
Thanks, Regards X

OmniX

Reputation Points: 31

Solved Threads: 10

Practically a Master Poster

Offline

652 posts
since Dec 2007

Permalink

Feb 25th, 2009

Re: Best encyption methods?

Careful about misleading people. A hash is not encryption. There is no way to decrypt a hash. There is also no such thing as a "dehasher", the only way to "reverse" a hash is to create huge libraries (called rainbow tables) of pre-created hashes and check against them. MD5, SHA1/256/etc are hashes, Vigenere, WEP, etc. are encryption.

ShawnCplus

Sponsor

Reputation Points: 520

Solved Threads: 268

Code Monkey

Offline

1,564 posts
since Apr 2005

Permalink

Feb 25th, 2009

Re: Best encyption methods?

I am assuming for security, hashing is better than encryption as it is one way where encryption is two way?

Encryption I know how it works normally, not sure if its the same in the php world.

A 'user A' 'encrypts' a password with a key then sends the key and password seperatly to the 'user B' then the user uses the key to decrypt the password?
This how encryption works in php?

OmniX

Reputation Points: 31

Solved Threads: 10

Practically a Master Poster

Offline

652 posts
since Dec 2007

Permalink

Feb 25th, 2009

Re: Best encyption methods?

They're two different things that both have different purposes. as I indicated in my first post and as ShawnC again emphasized, encryption and hashing are two different things. You can't compare them on a security level.

mschroeder

Sponsor

Reputation Points: 265

Solved Threads: 126

Practically a Master Poster

Offline

624 posts
since Jul 2008

Permalink

Feb 26th, 2009

Re: Best encyption methods?

I just ran [print_r(hash_algos());]
Now I understand the crc32b, whirlpool,etc but is there like a breakdown table anyone has a link to that lists the character length produced, time to hashed, etc?

Thanks, Regards X

OmniX

Reputation Points: 31

Solved Threads: 10

Practically a Master Poster

Offline

652 posts
since Dec 2007

Permalink

Feb 26th, 2009

Re: Best encyption methods?

the registered number of algorithms will vary by system, although in my experience most of them are commonly available. As far as execution time, that would vary drastically depending on the type of hardware your site/system is hosted on.

I would suggest running a quick benchmark on the hash_algos() output.

php Syntax (Toggle Plain Text)
<?php
 
$aAlgos = hash_algos();
$sStringToHash = 'This is a test string';
$sSaltString = 'This is the salt';
 
foreach( $aAlgos as $sAlgoName)
{
	echo 'Algorithm: ' . $sAlgoName . '<br />';
 
	$iStart = microtime(true); //Only valid with PHP5
	$sHashed = hash( $sAlgoName, $sStringToHash . $sSaltString );
	$iEnd = microtime(true);
 
 
	echo 'String Length: ' . strlen( $sHashed ) . '<br />';
	echo 'Hash: ' . $sHashed . '<br />';
	echo 'Total Hashing Time: ' . number_format( ($iEnd - $iStart), 8) . ' seconds';
	echo '<hr />';
 
}
<?php

$aAlgos = hash_algos();
$sStringToHash = 'This is a test string';
$sSaltString = 'This is the salt';

foreach( $aAlgos as $sAlgoName)
{
	echo 'Algorithm: ' . $sAlgoName . '<br />';
	
	$iStart = microtime(true); //Only valid with PHP5
	$sHashed = hash( $sAlgoName, $sStringToHash . $sSaltString );
	$iEnd = microtime(true);
	
	
	echo 'String Length: ' . strlen( $sHashed ) . '<br />';
	echo 'Hash: ' . $sHashed . '<br />';
	echo 'Total Hashing Time: ' . number_format( ($iEnd - $iStart), 8) . ' seconds';
	echo '<hr />';

}

It is crude but should give you a fairly accurate idea of how long its taking your system to run a single hash. I'm not certain if there are other factors that would skew this benchmark or not as I'm not familiar with the internals behind the hash() function.

Last edited by mschroeder; Feb 26th, 2009 at 12:55 am.

mschroeder

Sponsor

Reputation Points: 265

Solved Threads: 126

Practically a Master Poster

Offline

624 posts
since Jul 2008

Permalink

Feb 26th, 2009

Re: Best encyption methods?

Click to Expand / Collapse Quote originally posted by mschroeder ...

The hash function is a function that allows you to utilize numerous kinds of algorithms. if you run print_r(hash_algos()); it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32

A salt is basically adding a random string(s) to whatever you are encrypting or hashing:
php Syntax (Toggle Plain Text)
<?php
 
$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );
 
echo $sHash;
<?php $sSalt = '8*S&AsEc4qUs'; $sHash = hash( 'whirlpool', $sString . $sSalt ); echo $sHash;
so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.

I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:
php Syntax (Toggle Plain Text)
<?php
 
function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
 
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
 
	return $sSalt;
}
 
$sPassword  = 'password';
$sSalt = getSalt();
 
$sHash = hash('whirlpool', $sPassword . $sSalt );
 
//Store  $sHash and $sSalt in the database.
<?php function getSalt( $iLength = 10 ) { $sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|'; $iPossibleCount = strlen( $sPossible ); $sSalt = ''; for( $i=0; $i<$iLength; $i++ ) { $sSalt .= $sPossible[mt_rand(0, $iPossibleCount)]; } return $sSalt; } $sPassword = 'password'; $sSalt = getSalt(); $sHash = hash('whirlpool', $sPassword . $sSalt ); //Store $sHash and $sSalt in the database.
Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.

If you really want a salt before or after the hash then one of the following functions might suit you:

PHP Syntax (Toggle Plain Text)
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool','asdf'.$hashzzz.'jklh'));
}
 
== or if really worried ==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',hash('crc32b',$hashzzz).$hashzzz.'jklh'));
}
 
== or if really worried and want another idea==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',strlen($hashzzz).'18'.$hashzzz.'jklh'));
}
 
==or if really worried and want yet another idea==
function salthash($hashzzz) {
$varzzz=4*strlen($hashzzz);
return hash('crc32b',hash('whirlpool','6'.$varzzz.'18'.$hashzzz.'jklh'));
}
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool','asdf'.$hashzzz.'jklh'));
}

== or if really worried ==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',hash('crc32b',$hashzzz).$hashzzz.'jklh'));
}

== or if really worried and want another idea==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',strlen($hashzzz).'18'.$hashzzz.'jklh'));
}

==or if really worried and want yet another idea==
function salthash($hashzzz) {
$varzzz=4*strlen($hashzzz);
return hash('crc32b',hash('whirlpool','6'.$varzzz.'18'.$hashzzz.'jklh'));
}

And if you think the crackers are really good you could even make your own type of hash with regex. So there are plenty of ideas out there. And the above are just a few easy examples. Tonight I might try and test some of the scripts on this topic to see what is the fastest. Maybe we could have a competition of the most secure and fastest hash mechinism.

cwarn23

Sponsor

Featured Poster

Reputation Points: 410

Solved Threads: 258

Occupation: Genius

Offline

3,004 posts
since Sep 2007

Previous
1
2
Page 3
4
5
6
7
Next
Last

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: Access Control Limit Question

Next Thread in PHP Forum Timeline: Read and Write to text file

DaniWeb Message

Cancel Changes

User Name
Password