Security: SHA256 Hashing Algorithm Updated v1.1.1

Small, short code snippets that other people may find useful. Do you have a good regex that you would like to share? Share it! Even better, the code can be commented on, and improved.

Moderator: General Moderators

User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Roja wrote:
Jenk wrote:
Roja wrote: The sha256 library posted works fine on PHP5.
But using PHP5's syntax?

What about public, private etc?
OH, you mean "Will you make a version that won't work on php4, just to avoid E_STRICT warnings".

Because thats what using public/private accomplishes, and little else.
No, and I didn't ask you to get cocky either :)

What about the use of __construct rather than the class name, which is the standard practice in PHP5.. I'm referring more to standards than anything else.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it be a static class, __construct() is useless in thar.

yar.
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

Maugrim_The_Reaper wrote:
that there was no implementation of it except in mcrypt - until feyd made it.

Yep, that was my meaning...works fine in PHP5 like Roja stated. If you need all the PHP5 specific changes, it's a simple editing matter I would think.
i think i kinda mixed up those two there :?
Taz
Forum Newbie
Posts: 2
Joined: Wed Sep 28, 2005 7:37 am
Location: Germany

Post by Taz »

Hello,
at first, excuse my bad english.
This class is great, but ist works wrong...

Here an example:

Code: Select all

$Test = "testing \n new line";

echo SHA256::hash($Test,'hex');          // === 6a09e667bb67ae853c6ef372a54ff53a510e527f9b05688c1f83d9ab5be0cd19
echo "<br />";
echo bin2hex(mhash(MHASH_SHA256, $Test));// === e4a0fefe91e4034616fea554554dbfad9600ee8b670754f6de4ffbfe6ce34c19
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Delete the echo and string setting sections. There's no more than a handful...;) After try again and it'll work just fine.
Taz
Forum Newbie
Posts: 2
Joined: Wed Sep 28, 2005 7:37 am
Location: Germany

i found a bug

Post by Taz »

No, there is a Bug in the class "SHA256Message"!

This is not correct:

Code: Select all

preg_match_all( '#.{64}#', $str, $this->chunk );
You must change it to this:

Code: Select all

preg_match_all('#.{64}#s', $str, $this->chunk);
or better change it to this:

Code: Select all

$this->chunk = str_split($str, 64);
Then the class works fine :-)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

can't use str_split() due to php5 only, but I will edit the code that was intended for single line usage...


done.
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

i got a wierd problem with the sha256 base file, prolly just something ive got wrong but for some reason the hash_base.php file is ending the header.

headers already sent by (output started at ....../functions/hash_base.php:175)

line 175 is just the closing php tag.

i copy pasted the code straight from your PHP tags.

thanks for any replies on this.
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

You have spaces before the <?PHP tag and/or after the ?> tag (located at the beginning and the end of the file, respectively). Remove them, and all will be well ;)
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

oh, thats what causes that, thanks :D
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

okay so Im trying to use this on passwords, and im at a loss on how to implement it =/

obviously i include the file, then I don't know what to do.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

scrotaye wrote:okay so Im trying to use this on passwords, and im at a loss on how to implement it =/

obviously i include the file, then I don't know what to do.

Code: Select all

$pass = SHA256::hash($_POST['password'],'hex');

if ($pass == $password_in_db) //All OK
EDIT | It's static of course so you don't need to worry about doing $foo = new SHA256() blah blah.... ;)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

lets say the passwords are already md5()d

given the recent flaws in md5 security, would SHA256::hash(md5($_POST['value']),'hex'); make this any less secure?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

hashing an already hashed string increases the chance of a collision. It is possible to migrate to a new hash, you add a new field to your database that will store the sha256 hashs when users log in, and then proceed to authenticate on the md5 like usuall. once everyone has logged in once (or the majority of users) you switch your login sequence to check the sha256 values intead, after that works remove the md5 field. For users that did not login, you reset their password to a random string and email it to them. Much more secure.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Well, I really don't want to do that seeing as a bunch of people get their inboxes flooded with junk, close their accounts, get new ones, or don't check it.

What if I do something like this:

Code: Select all

$pass = md5($_POST['pass']); // md5()'d pass

$sha256hash = SHA256::hash($pass,'hex'); // this is the sha256'd pass of the md5 hash
$password = $pass.$sha256hash; // this is the two values combined

if($password != $passindatabase) { die(); }
Now, I realize this would be a 96 character string, but it would let me avoid resetting people's passwords. What are your thoughts on this?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Post Reply