954,580 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
7 Months Ago
0

hash_hmac

Hi All,

I'm in the middle of building a new login/registration class and was going to apply a hashing function to the pw and an activation token, when I came across the hash_hmac function.

I've tried finding out more about it, but info is pretty scarce. Could anybody shine some light on this for me? I gleaned this (leaving out the last parameter for now):

echo hash_hmac('sha256', 'the string to be hashed', 'my_secret_key');
echo hash('sha256', 'the string to be hashed' . 'my_secret_key');


Obviously, I'm not expecting the outputs to be the same, but does the first line have an advantage over the second? The third parameter in line 1 is a key, as opposed to a salt. I've used the string as a salt in line 2. Getting a DVT in my amygdala over this :)

//EDIT

My question's not very clear - is hash_hmac better than hash? Would their uses be different?

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,792 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 
7 Months Ago
Show Comments
1

To my understanding hmac variations are substantially less prone to collisions than the standard hash functions.

I know this is not directly related to your question, but have you considered using bcrypt for your passwords? Assuming your environment is 5.3+
http://us2.php.net/crypt
http://yorickpeterse.com/articles/use-bcrypt-fool/
http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
http://gom-jabbar.org/articles/2008/12/03/why-you-should-use-bcrypt-to-store-your-passwords

mschroeder
Work Harder
Team Colleague
666 posts since Jul 2008
Reputation Points: 279
Solved Threads: 131
 
7 Months Ago
0

Thanks ms. Great reply as usual.

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,792 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 
7 Months Ago
0

I have never used but from what I have read:
HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.
So adding an HMAC to an MD5 hash would make it substantially more difficult to break via a rainbow table.
I believe the only known attack type against hmac hash is brute force.

ddymacek
Posting Whiz
317 posts since Jun 2010
Reputation Points: 36
Solved Threads: 64
 
7 Months Ago
0

THanks, dd. I 'm half way through reading ms's reading list at the moment. My nose isn't quite bleeding but I've got a strong tickle! :)

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,792 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 
7 Months Ago
0

No pain no gain!

mschroeder
Work Harder
Team Colleague
666 posts since Jul 2008
Reputation Points: 279
Solved Threads: 131
 
7 Months Ago
0

Seems I'm gaining a lot of pain!

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,792 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
View similar articles that have also been tagged:
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed