0

Hi All,

I'm in the middle of building a new login/registration class and was going to apply a hashing function to the pw and an activation token, when I came across the hash_hmac function.

I've tried finding out more about it, but info is pretty scarce. Could anybody shine some light on this for me? I gleaned this (leaving out the last parameter for now):

echo hash_hmac('sha256', 'the string to be hashed', 'my_secret_key');
echo hash('sha256', 'the string to be hashed' . 'my_secret_key');

Obviously, I'm not expecting the outputs to be the same, but does the first line have an advantage over the second? The third parameter in line 1 is a key, as opposed to a salt. I've used the string as a salt in line 2. Getting a DVT in my amygdala over this :)

//EDIT

My question's not very clear - is hash_hmac better than hash? Would their uses be different?

Edited by diafol: n/a

3
Contributors
6
Replies
7
Views
6 Years
Discussion Span
Last Post by diafol
1

To my understanding hmac variations are substantially less prone to collisions than the standard hash functions.

I know this is not directly related to your question, but have you considered using bcrypt for your passwords? Assuming your environment is 5.3+
http://us2.php.net/crypt
http://yorickpeterse.com/articles/use-bcrypt-fool/
http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
http://gom-jabbar.org/articles/2008/12/03/why-you-should-use-bcrypt-to-store-your-passwords

0

Thanks ms. Great reply as usual.

0

I have never used but from what I have read:
HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.
So adding an HMAC to an MD5 hash would make it substantially more difficult to break via a rainbow table.
I believe the only known attack type against hmac hash is brute force.

0

THanks, dd. I 'm half way through reading ms's reading list at the moment. My nose isn't quite bleeding but I've got a strong tickle! :)

0

Seems I'm gaining a lot of pain!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.