PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Oct 22, 2017 3:44 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 46 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
 Post subject:
PostPosted: Wed Aug 24, 2005 1:51 pm 
Offline
DevNet Master
User avatar

Joined: Mon Oct 25, 2004 9:29 pm
Posts: 3698
Location: New Jersey, US
Nope that it's even worse.

"BECAUSE OF THIS BUSINESS AGREEMENT YOU WILL PAY ME ONE DOLLARXXXXXXXXX."

and

"BECAUSE OF THIS BUSINESS AGREEMENT YOU WILL PAY ME TEN BILLION DOLLARS."

hash the same thing.

However, you've almost got the idea. The 'random' thing is called a "salt". http://en.wikipedia.org/wiki/Salt_%28cryptography%29


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:17 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692
Sander wrote:
So, doing "md5(md5($var));" isn't a good idea, but how about something like this?

Syntax: [ Download ] [ Hide ]
md5(md5(substr($var, 0, 16)) . strlen($var));


I believe stuff like that is done quite often; would adding other 'random' (the substr() and strlen()) things to the hash make it more secure?


You didn't finish your sentence - more secure than what?

More secure than just md5($var)?

No. Here's why - its predictable, and its flawed. As Ambush Commander correctly pointed out, by testing various hashes, they can quickly find the pattern that you use to construct your hash. Thats what a good hash prevents - it makes it challenging to determine a pattern from chaos.

Now, what you are trying to do mentally, is add "some more randomness to it". The proper way, in md5, is via a salt. A salt is an additional input that is also not known, that also doesn't follow a predictable pattern.

By doing so you improve a TINY part of the security - you make rainbow tables less useful.

However, with new md5 compromises being found daily, and with processing power growing *every* day, AND with a perfectly working sha256 implementation in PHP, and Javascript, there is literally no reason to keep using md5.

In other words, "Is it more secure than md5()? No. However, sha256 is MUCH more secure, so use it!"

And you can even use a salt with sha256 too. :)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:40 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
I fear we're starting to get into beating a dead horse, more than should be done normally....


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:43 pm 
Offline
DevNet Resident
User avatar

Joined: Tue Jan 20, 2004 5:58 pm
Posts: 1537
Location: Minnesota
feyd wrote:
I fear we're starting to get into beating a dead horse, more than should be done normally....



Na, I'm still learning everytime Roja posts. Thanks, Roja!


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:44 pm 
Offline
Forum Commoner

Joined: Sat Aug 06, 2005 12:43 pm
Posts: 38
I actually ment more secure than "md5(md5($var));", but I guess it also counts for "md5($var);" :)

Roja wrote:
However, with new md5 compromises being found daily, and with processing power growing *every* day, AND with a perfectly working sha256 implementation in PHP, and Javascript, there is literally no reason to keep using md5.

In other words, "Is it more secure than md5()? No. However, sha256 is MUCH more secure, so use it!"

And you can even use a salt with sha256 too. :)

Other than Feyd his sha256 script, I can't find any sha256 implementation in PHP (no built in stuff, anyway).

So should I use Feyd his script, or something else?


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:48 pm 
Offline
DevNet Master
User avatar

Joined: Mon Oct 25, 2004 9:29 pm
Posts: 3698
Location: New Jersey, US
You can use Feyd's script (I'm not aware of any alternatives), and eventually PHP should build in a sha256 function. We all should celebrate when that day comes, because PHP for stuff like this is just plain sloooooow (when compared to C++ implementations, etc.).


Last edited by Ambush Commander on Wed Aug 24, 2005 2:51 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:48 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692
Sander wrote:
I actually ment more secure than "md5(md5($var));", but I guess it also counts for "md5($var);" :)

Yeah.

Sander wrote:
Other than Feyd his sha256 script, I can't find any sha256 implementation in PHP (no built in stuff, anyway).

So should I use Feyd his script, or something else?

Definitely use Feyd's. I've used it in a number of scripts, and tested it against a fairly large number of sha256 reference implementations, to the tune of thousands of matches, so its definitely solid.

Did I mention its fast, well-written, and made by a member of OUR forums ? :)

Yeah, its solid stuff.

neophyte wrote:
Na, I'm still learning everytime Roja posts. Thanks, Roja!

I'm happy to help, but it is feeling a bit redundant.

In a nutshell, trying to find a more secure way to keep using a flawed algorithm is just a waste of time. No matter how much magic you throw into md5, the algorithm is flawed. Just use sha256. :)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:50 pm 
Offline
DevNet Master
User avatar

Joined: Thu Aug 15, 2002 5:53 am
Posts: 4235
Location: Sussex, UK
Sander wrote:
So should I use Feyd his script, or something else?


You will soon here a chorus of yes to use Feyd's sha256 implementation.

edit: gah, too slow Patrik his hands type today.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 2:57 pm 
Offline
Forum Commoner

Joined: Sat Aug 06, 2005 12:43 pm
Posts: 38
Okidokie, Feyd his implementation it is :) Thanks for all the feedback guys (And, of course, thanks for Feyd for the great script :) )


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 3:28 pm 
Offline
DevNet Master
User avatar

Joined: Tue Dec 28, 2004 6:57 pm
Posts: 2745
Location: Tallinn, Estonia
but cant feyds script be jsut as easy to brute force as any other differnt type of encryption/hash? i mean when it comes to brute force there is no difference right?


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 3:39 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
you're welcome. As far as I know, it is the only platform independant, nonmodule implementation. I built it for speed, given the circumstances.



FYI, it was built in response to this thread: http://forums.devnetwork.net/viewtopic.php?t=30797 and none of us finding a (suitable or not) implementation of it for php...



brute forcing mine will often take... a bit longer to get it.. provided your key's length is not known, and it is reasonably sized.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 24, 2005 4:27 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692
shiznatix wrote:
but cant feyds script be jsut as easy to brute force as any other differnt type of encryption/hash? i mean when it comes to brute force there is no difference right?

There is a difference.

First, lets look at it "the long way" (also the wrong way.. I crack myself up):

(using the word "test"):
MD5 : 098f6bcd4621d373cade4e832627b4f6
SHA1: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

See a difference? Imagine trying to guess every character in the first one, and then trying to guess everyone in the second one. Which takes longer? Definitely SHA.

(Feyd's script is sha256, which is even LONGER!)

Of course, as I said, thats the wrong way to look at it. I'm cheating by looking at the output.

To be fair, a brute force on both runs against the INPUT, not the output. The input of both is the same..

But sha takes a *tiny* bit longer to process. For a user, you honestly cannot tell the difference.

For someone trying 2million+ entries? It adds up fast!

Lets say its 0.1 second. Since most page generation in php/sql can be done in < 0.5s, and the variation (+/-) is about 0.1s, we can say that a user can't tell the difference.

But an attacker hits 0.1 seconds * 2 million times = 200,000 seconds. Thats 55 hours, and thats a relatively small dictionary.

So yes, in every way, there is a big difference for the attacker in which hash function you use. :)


Top
 Profile  
 
 Post subject:
PostPosted: Thu Nov 10, 2005 11:42 pm 
Offline
Forum Contributor
User avatar

Joined: Thu Oct 20, 2005 4:55 pm
Posts: 106
Location: California
What if you md5 or sha1 a password 4 or 5 times before stroring it? Or, maybe 500 times.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 11, 2005 12:08 am 
Offline
DevNet Master

Joined: Wed Feb 11, 2004 4:23 pm
Posts: 4872
Location: Palm beach, Florida
dallasx, please re-read the thread


Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 11, 2005 12:16 am 
Offline
Forum Contributor
User avatar

Joined: Thu Oct 20, 2005 4:55 pm
Posts: 106
Location: California
jshpro2 wrote:
dallasx, please re-read the thread

Ahhhh, got it. I guess I tend yto skip over things when I'm 11 beers deep. Thanks for pointing that out.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 46 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group