Easy high security crypto function

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
fourthwall
Forum Newbie
Posts: 3
Joined: Thu Sep 29, 2011 3:18 am

Easy high security crypto function

Post by fourthwall »

Hello everyone!

I was having some problems with crypt() so I wrote a function to make hashing passwords MUCH easier:

Code: Select all

<?php 
function hasher($info, $encdata = false)
{
  $strength = "08";
  //if encrypted data is passed, check it against input ($info)
  if ($encdata) {
    if (substr($encdata, 0, 60) == crypt($info, "$2a$".substr($encdata, 4, 2)."$".substr($encdata, 60))) {
      return true;
    }
    else {
      return false;
    }
  }
  else {
  //make a salt and hash it with input, and add salt to end
  $salt = "";
  for ($i = 0; $i < 22; $i++) {
    $salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
  }
  //return 82 char string (60 char hash & 22 char salt)
return crypt($info, "$2a$".$strength."$".$salt).$salt;
}
}
?>
if just data is passed to it, it will hash it with a randomly generated salt then append the hash to the end. if you wish to compare input to a hash, you just feed it the input, then the hash, it will retrieve the salt from the hash and then hash the input with it, and compare it to the hash you fed it. It is a cryptographic function optimized for hashing passwords

I hope some of you find this useful. I published this on the crypt() manual, but I saw this forum and liked it, and wanted to make a first post that was useful to someone. Hope this helps, criticism is welcome! Moore's law compatibility is controlled via the $strength var, that controls the difficulty of the hashing function. This is as secure as password hashing really gets.

It's my own drop in replacement for PHPass basically.
Last edited by fourthwall on Thu Sep 29, 2011 10:07 am, edited 1 time in total.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Easy high security crypto function

Post by Mordred »

1. I don't see what problem with crypt() you had, since you *are* using crypt here.
2. These are two functions rolled into one, a bad smell. I'd split them into hash() and check() halves
3. When checking you are using the $strength as defined in the function not in the hash. This is not necessarily bad, but you must be aware that it will make your hashes not backward compatible.
fourthwall
Forum Newbie
Posts: 3
Joined: Thu Sep 29, 2011 3:18 am

Re: Easy high security crypto function

Post by fourthwall »

It was meant to be a wrapper to simplify password hashing, as it handles salt generation and doesn't require the client code to store the salt separately and pass it back it etc, I found it useful :) and the strength value, it was just there for people to choose it when they implement it.

This is just a simplified wrapper for crypt()
fourthwall
Forum Newbie
Posts: 3
Joined: Thu Sep 29, 2011 3:18 am

Re: Easy high security crypto function

Post by fourthwall »

Okay, it's now reverse compatible with lower strength hashes, thanks for that
Post Reply