SHA256 or higher...
Moderator: General Moderators
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
SHA256 or higher...
How do I use SHA256... I've been looking for 10 minutes now... and I can't find anything with its PHP use... and just making sure SHA256 is the highest PHP has so far, and at the moment most secure.
Re: SHA256 or higher...
http://php.net/hash - looking for hash () function
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Re: SHA256 or higher...
Ok, well witch is better the hash function in PHP or the class that is on this forum....??? I read something, on that, but didn't really get it... its less secure to user SHA256(md5($text)); then sha256 by itselft.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Re: SHA256 or higher...
feyd wrote a php4 implementation of sha256: http://code.google.com/p/redwidow-dna/downloads/list
in php5 you can just use the hash() function as jmut suggested.
the php5 function would be faster, since it's compiled code.
in php5 you can just use the hash() function as jmut suggested.
the php5 function would be faster, since it's compiled code.
Re: SHA256 or higher...
I know nothing about algorithms... but seems kinda useless as you sha256 on constant length string.... which might be weakening stuff... You're pretty safe with just sha256tecktalkcm0391 wrote:Ok, well witch is better the hash function in PHP or the class that is on this forum....??? I read something, on that, but didn't really get it... its less secure to user SHA256(md5($text)); then sha256 by itselft.
If you wanna use this for storing passwords you can check this really nice article by Mordred viewtopic.php?t=62782
Re: SHA256 or higher...
I'm pretty sure thats incorrect. Running nested hashing algorithms makes it harder to reverse engineer your hashed data from rainbow tables. The attacker would have to also guess your order of applying hashing algorithms, instead of attacking known algorithms directly.
Regarding weakening the strength of the hashing algorithm - each algorithm creates a unique string. Hashing it once more in another algorithm creates another unique string, it doesn't matter if it's fixed size or not, it's still unique non-reversible strings.
Regarding weakening the strength of the hashing algorithm - each algorithm creates a unique string. Hashing it once more in another algorithm creates another unique string, it doesn't matter if it's fixed size or not, it's still unique non-reversible strings.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Re: SHA256 or higher...
double hashing increases the chances of a collision, since hashes are presumably a smaller set than the thing you're hashing the first time.
I also remember reading somewhere that double hashing is less secure, since there are exploits that knowing the second hash makes possible.
I also remember reading somewhere that double hashing is less secure, since there are exploits that knowing the second hash makes possible.
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: SHA256 or higher...
Straight from Mordred's post, linked by jmut:
Personally, I dislike the term double hashing because it's the same term used for a probing algorithm when implementing hash sets, and in that sense, double hashing is the best way to go about things rather than a poor way in this case.I. The school of doublehashing
The reasoning is that there are precomputed dictionaries for HASH(password), but not ones for HASH(HASH(password)), so here's an easy way to defeat password stealers. While this is true, the method still has the unpleasant property that Bob's and Cindy's doubly hashed passwords are still the same.
Apart from that, from a cryptological point of view, double hashing is considered insecure, although I suspect that in reality this would not impact anyone but an enemy of the NSA or something. I am not a cryptologist though, so I listen to what the experts are saying, which is not to do it. You may use this mantra in your daily meditations: Never never ever ever double double hash.
Re: SHA256 or higher...
Can anyone bring concrete evidence as to why double hashing is unsecure?
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Re: SHA256 or higher...
Wouldn't double hashing, when you don't just do md5(md5)) or similar be secure so something like:
Because each hash will be hashing a even more unique hash that is not just the same original hashes length..
Code: Select all
md5('qrstuvwxyz'.md5('abc'.$input.'dfg').'hijklmnop');- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Re: SHA256 or higher...
IIRC, double hashing's vulnerability was in the fact that the second hash has a MUCH smaller dictionary size, since the size of all known hashes is almost infinitely smaller than the size of all strings.
The hardcore math stuff in the article was beyond me, but the bottom line was that using a single hash with a salt was dramatically more secure.
I wish I'd bookmarked that article so I had smart people backing up my broken-telephone recount :-/
This entire argument seems to be getting a little ridiculous, IMO, since most users will pick rather insecure passwords anyway.
Besides, if someone can physically access or otherwise pwn your server, all of these measures become moot.
What a fun word: Moot. MOOOOOOT!
The hardcore math stuff in the article was beyond me, but the bottom line was that using a single hash with a salt was dramatically more secure.
I wish I'd bookmarked that article so I had smart people backing up my broken-telephone recount :-/
This entire argument seems to be getting a little ridiculous, IMO, since most users will pick rather insecure passwords anyway.
Besides, if someone can physically access or otherwise pwn your server, all of these measures become moot.
What a fun word: Moot. MOOOOOOT!
Re: SHA256 or higher...
Well why, ultimate idea is you need as much (same) amount of computation power to crack EACH pass (without salting, hashes of same passwords are same)...Kieran Huggins wrote:....
Besides, if someone can physically access or otherwise pwn your server, all of these measures become moot.
Which I think makes big difference.
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: SHA256 or higher...
I think Kieran is getting at the fact that if someone can get access to your database and your web server you're screwed cos they can see the hashed strings and look at whatever hashing algorithm you used.
Re: SHA256 or higher...
I see, well it's clear that there is no ultimate security.... and that's why being secure is a process and not a state.jayshields wrote:I think Kieran is getting at the fact that if someone can get access to your database and your web server you're screwed cos they can see the hashed strings and look at whatever hashing algorithm you used.
Anyhow