challenge response code with sha512 instead of sha256

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
gf05856
Forum Newbie
Posts: 16
Joined: Sat Sep 02, 2006 11:17 am
Location: Belgium

challenge response code with sha512 instead of sha256

Post by gf05856 »

I see that the Challenge/response tutorial now supports sha256 including the javascript version,
Is there a way to replace this with the php build in sha512 version?
I think I already managed to change some code but do not know where to start to replace the javascript ...

Code: Select all

(login.php)
Original: $expected_response = SHA256::hash($response_string);
New: $expected_response = hash('sha512', $response_string);

Original: if(SHA256::hash($_POST['userpass']) == $user['password'])
New:  if(hash('sha512',($_POST['userpass'])) == $user['password'])

and 
(index.php)
Orininal: $challenge = SHA256::hash(uniqid(mt_rand(), true));
New: $challenge = hash('sha512', (uniqid(mt_rand(), true)));
The javascript code in the form go's like this ... should I replace it with something from php or ajax?!?

Code: Select all

<script language="javascript" src="sha256.js" type="text/javascript"></script>
<!--
    Include a javascript function to manipulate our form data, i.e. to generate a Response string, delete
    userpass and challenge prior to allowing submission. Rem: we don't want to send a plain text password!
-->
<script language="javascript" type="text/javascript">
<!--
  function doChallengeResponse() {
    str = document.login_form.username.value.toLowerCase() + ":" +
    sha256_digest(document.login_form.userpass.value) + ":" +
    document.login_form.challenge.value;
    document.login_form.userpass.value = "";
    document.login_form.challenge.value = "";
    document.login_form.response.value = sha256_digest(str);
    return false;
  }
// -->
</script>
</head>
<body>
<h3>Challenge Response Login Form</h3>
<br />
<br />
    <!--
        Our form has 4 fields - but only 2 are submitted. The doChallengeResponse() javascript function
        will generate a Response and set it as the value of 'response'. The same function will also unset
        the value of the 'userpass' field, and 'challenge' field which we DO NOT want sent!

        The javacript function is called when the user submits the form - see the onsubmit tag...
    -->
    <form method="post" action="login.php" name="login_form" id="login_form" onsubmit="doChallengeResponse()">
    Username:&nbsp;&nbsp;<input type="text" name="username" id="username" value="" size="16" />
    <br />
    Password:&nbsp;&nbsp;<input type="password" name="userpass" id="userpass" value="" size="16" />
    <br /><br />
    <input type="reset" name="u_reset" id="u_reset" value="Reset" />&nbsp;&nbsp;<input type="submit" name="u_submit" id="u_submit" value="Login" />
    <!--
        Insert the Challenge value from the server with a small PHP echo()
    -->
    <input type="hidden" name="challenge" id="challenge" value="<?php echo($challenge); ?>" />
    <!--
        Our 'response' field will be filled by the javascript function once the Response string is generated
    -->
    <input type="hidden" name="response" id="response" value="" />
</form>
Thanks for your support!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You'll need a Javascript version of SHA512.
gf05856
Forum Newbie
Posts: 16
Joined: Sat Sep 02, 2006 11:17 am
Location: Belgium

Post by gf05856 »

Then I am doommmmmmmmmed to wait until you write one?

Did not find any on google...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I have no plan to write one. The plan is to write the pure php versions only. You may not know this but I didn't write the Javascript version in that tutorial, only the PHP version.
gf05856
Forum Newbie
Posts: 16
Joined: Sat Sep 02, 2006 11:17 am
Location: Belgium

Post by gf05856 »

Just for info, asked some people around, and apparently the javascript machines out there (at least IE & Firefox) do not support 64bit ints which makes it almost impossible to write a javascript that copes with 64bit ints instead of 32bit ints so sha512 and sha384 can't be implemented in javascript right now (at least without going through loads of pain to make all the 64bit math with 32bit ints).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

haha, those people apparently don't know how to do 64bit math on 32bit machines then I guess. It's not all that more difficult, just need to build an INT64 library (if one doesn't already exist, which I find hard to believe.)

Just so you know, PHP doesn't have 64bit support on most platforms, yet it's quite possible for me to write a library to do them without trouble.
Post Reply