PHP security: sha1 or hash

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

PHP security: sha1 or hash

Post by lauthiamkok »

Hi,

After knowing that hashing a password is my choice for making a login form. Now I am facing another issue - sha1 or hash?

This is a standard method using salt I think I got it from a reference book of mine,

Code: Select all

 # create a salt using the current timestamp
    $salt = time();
    	
    # encrypt the password and salt with SHA1
    $usr_password = sha1($usr_password.$salt);
but then after I have done some research on sha1, it was told it may not be so secure in the future, suggesting using hash().

But I don't quite understand using hash() - for instance -

Code: Select all

$usr_password = hash('sha256', $usr_password); 
what is that 'sha256' or 'sha512' which I found it here?

http://hungred.com/useful-information/p ... -password/

can I put anything instead, like '@123'?

why is it called salt anyway - $salt = time(); is nothing else but just a unix timestamp isn't??

thanks!
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP security: sha1 or hash

Post by flying_circus »

sha1 is a hash algorithm much like md5, sha256, sha512, and many others.

The book you pulled that piece of code from is a very poor example. A salt is supposed to be random but a timestamp is not random. Kai has been working on a random generator, I believe there was a link in his signature, to his project. His implementation would be much more suited for a salt.

Yes, I would skip the sha1 algorithm. MD5 has been compromised and there is reasonable belief that sha1 will soon suffer the same. I would use sha256 at the minimum, preferrably sha512.

A salt is designed to complicate the process of brute forcing a compromised hash.

Example, if you md5("password") and the hash is "5f4dcc3b5aa765d61d8327deb882cf99", it wont take an attacked long to run through a dictionary of common passwords to find a match.

md5("love"); //b5c0b187fe309af0f4d35982fd961d7e
md5("sex"); //3c3662bcb661d6de679c636744c66b62
md5("secret"); //5ebe2294ecd0e0f08eab7690d2a6ee69
md5("god"); //a4757d7419ff3b48e92e90596f0e7548
md5("password"); //5f4dcc3b5aa765d61d8327deb882cf99

We got a match! This user's password must be "password".

Now imagine how hard it would be to guess something like:

Code: Select all

<?php
# Randomly Generated Salt and Pepper.
# Salt is stored in the database, Pepper is stored on the filesystem.  Should 1 system be compromised, the other might not.
# It is one more step towards security in depth.
  $salt="3d4d588c4a33d9f40b6eff11411d6a67472e75d4c5bb714e01022abbbcb99854111252cf63bab2bb4b817dd9dbf18ea6b978bd2e464a9078149f054ef9fed826";
  $pepper="OTEyNjY1MDg0NzY3Y2E2M2ZmMzA0ZDE4NzQ0NGFjNjY3NDlkOGFkYThkZWE0ZDQ4YzAyNGE1ZjYzNDcxMmI4YjRjM2UxMmVjYmNjNDcxNDA1OGVlODlmZTExOGE5YmNkOGZjZGI2NWMxOTg5MjM1OGIwNDE1MzY4OTI4ZWQ4OTY=";

  $password = "password";

  hash('sha512', $password . $salt . $pepper);  //14ac5aa847a22a6f7587d60c735b5039ae80293e0a7f6cdc1409b6b8d3fac7b019a01afb9290fae13ed959e88e27703c05ef86401339a468d149ea9b28d3b30c
?>
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security: sha1 or hash

Post by lauthiamkok »

hi,

Thanks so much for this. I am now getting there closer!
Pepper is stored on the filesystem.
the filesystem - What is it may I ask? is it something like a .txt file which is kept somewhere in a hidden folder or something?

Code: Select all

$pepper="OTEyNjY1MDg0NzY3Y2E2M2ZmMzA0ZDE4NzQ0NGFjNjY3NDlkOGFkYThkZWE0ZDQ4YzAyNGE1ZjYzNDcxMmI4YjRjM2UxMmVjYmNjNDcxNDA1OGVlODlmZTExOGE5YmNkOGZjZGI2NWMxOTg5MjM1OGIwNDE1MzY4OTI4ZWQ4OTY=";
Does the value in $pepper always stay the same?

Thanks!
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP security: sha1 or hash

Post by flying_circus »

Hi,

Yes, I normally define() the pepper in a config.php file, located outside of the document root. The value of the pepper stays the same sitewide.

You can generate your own random pepper using a method that I took from Kai's random number generator. Hopefully he wont mind me sharing it. It pulls random data from the /dev/urandom file, so it only works on *nix based systems. I'd tell you to search for his posts, but it looks like he removed it from his signature line.

Code: Select all

<?php
    function fetch_random($length = 64)
    {
      $file = @fopen('/dev/urandom', 'rb');
      
      if($file) {
        $random = fread($file, $length);
        fclose($file);
        return bin2hex($random);
      }
      
      return false;
    }
?>
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security: sha1 or hash

Post by lauthiamkok »

flying_circus wrote:Hi,

Yes, I normally define() the pepper in a config.php file, located outside of the document root. The value of the pepper stays the same sitewide.

You can generate your own random pepper using a method that I took from Kai's random number generator. Hopefully he wont mind me sharing it. It pulls random data from the /dev/urandom file, so it only works on *nix based systems. I'd tell you to search for his posts, but it looks like he removed it from his signature line.

Code: Select all

<?php
    function fetch_random($length = 64)
    {
      $file = @fopen('/dev/urandom', 'rb');
      
      if($file) {
        $random = fread($file, $length);
        fclose($file);
        return bin2hex($random);
      }
      
      return false;
    }
?>
thanks so much for replying and sharing the code from Kai. I have tried to google Kai, but I cannot find its website or posts. any URL address which you could tell me...?

/dev/urandom - is it a file? it does not look like a file to me...

*nix based systems - you mean Unix based system?

Thanks
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP security: sha1 or hash

Post by flying_circus »

Hi,

Sorry, I cannot remember Kai's website url. It used to be in his signature line, and his username on this forum is kaisellgren.

Yes, /dev/urandom is a file:
http://en.wikipedia.org/wiki//dev/random
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security: sha1 or hash

Post by lauthiamkok »

flying_circus wrote:Hi,

Sorry, I cannot remember Kai's website url. It used to be in his signature line, and his username on this forum is kaisellgren.

Yes, /dev/urandom is a file:
http://en.wikipedia.org/wiki//dev/random
it's ok. thanks for the sharing :D
I normally define() the pepper in a config.php file, located outside of the document root. The value of the pepper stays the same sitewide.
May I ask where is considered as 'outside of the document root'? I put my config.php in a folder called models, is it risky then? (see the picture I attached - there are nowhere I can go in my server, that is what it is when I log in.)

Image

thanks!
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP security: sha1 or hash

Post by flying_circus »

lauthiamkok wrote:May I ask where is considered as 'outside of the document root'?
The document root (web root) is a directory that contains all of the files that are web accessible and can be navigated to by using a web browser, such as http://example.com/models/config.php.

Typically a *nix based ISP will create a user account for you on their webserver and you will have a user directory. Inside your user directory, you will have a webroot. The directory structure should look something like this:
/home/myUserName/public_html/

Anything within the public_html directory is web accessible. You want to put private files just above your webroot, into your myUserName directory. You may or may not be able to do this with your ftp client, you may have to use SSH, depending on where your ftp root (lowest directory accessbile to the ftp client) is set.

In your ftp window, you would likely need to click the ".." to go up one diretory, if allowed.
mikosiko
Forum Regular
Posts: 757
Joined: Wed Jan 13, 2010 7:22 pm

Re: PHP security: sha1 or hash

Post by mikosiko »

Flying_circus: to store the salt and hash what datatype/length do you use in the DB?
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP security: sha1 or hash

Post by flying_circus »

This could probably be improved, but it's what I've got available right now.

Code: Select all

CREATE TABLE `users` (
  `user_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `user_username` varchar(64) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
  `user_password` varchar(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
  `user_salt` varchar(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
  ...
  PRIMARY KEY (`user_id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
mikosiko
Forum Regular
Posts: 757
Joined: Wed Jan 13, 2010 7:22 pm

Re: PHP security: sha1 or hash

Post by mikosiko »

gotcha... thanks... I'm using something similar but storing salt and hash concatenated in just one field (I do use substr to split it)
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security: sha1 or hash

Post by lauthiamkok »

flying_circus wrote:
lauthiamkok wrote:May I ask where is considered as 'outside of the document root'?
The document root (web root) is a directory that contains all of the files that are web accessible and can be navigated to by using a web browser, such as http://example.com/models/config.php.

Typically a *nix based ISP will create a user account for you on their webserver and you will have a user directory. Inside your user directory, you will have a webroot. The directory structure should look something like this:
/home/myUserName/public_html/

Anything within the public_html directory is web accessible. You want to put private files just above your webroot, into your myUserName directory. You may or may not be able to do this with your ftp client, you may have to use SSH, depending on where your ftp root (lowest directory accessbile to the ftp client) is set.

In your ftp window, you would likely need to click the ".." to go up one diretory, if allowed.
thank you for explaining the document root. most of my ISPs are windows base and I don't have this /home/myUserName/public_html/ so I can't put the config.php outside the website then as I dont have other choices - am I right?

If I can get as *nix based ISP, then there is another problem, how I can write a script in php to access the config.php outside the web root, for instance, if I can keep this config file in /home/myUserName/?

thanks! :)
Post Reply