Member Avatar for diafol

Hi All,

I'm in the middle of building a new login/registration class and was going to apply a hashing function to the pw and an activation token, when I came across the hash_hmac function.

I've tried finding out more about it, but info is pretty scarce. Could anybody shine some light on this for me? I gleaned this (leaving out the last parameter for now):

echo hash_hmac('sha256', 'the string to be hashed', 'my_secret_key');
echo hash('sha256', 'the string to be hashed' . 'my_secret_key');

Obviously, I'm not expecting the outputs to be the same, but does the first line have an advantage over the second? The third parameter in line 1 is a key, as opposed to a salt. I've used the string as a salt in line 2. Getting a DVT in my amygdala over this :)

//EDIT

My question's not very clear - is hash_hmac better than hash? Would their uses be different?

Edited by diafol because: n/a
  • 3 Contributors
  • 6 Replies
  • 268 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by diafol

Recommended Answers

All 6 Replies

Member Avatar for mschroeder

To my understanding hmac variations are substantially less prone to collisions than the standard hash functions.

I know this is not directly related to your question, but have you considered using bcrypt for your passwords? Assuming your environment is 5.3+
http://us2.php.net/crypt
http://yorickpeterse.com/articles/use-bcrypt-fool/
http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
http://gom-jabbar.org/articles/2008/12/03/why-you-should-use-bcrypt-to-store-your-passwords

Member Avatar for diafol

Thanks ms. Great reply as usual.

Member Avatar for ddymacek

I have never used but from what I have read:
HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.
So adding an HMAC to an MD5 hash would make it substantially more difficult to break via a rainbow table.
I believe the only known attack type against hmac hash is brute force.

Member Avatar for diafol

THanks, dd. I 'm half way through reading ms's reading list at the moment. My nose isn't quite bleeding but I've got a strong tickle! :)

Member Avatar for mschroeder

No pain no gain!

Member Avatar for diafol

Seems I'm gaining a lot of pain!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.