Page 1 of 1

Easy high security crypto function

Posted: Thu Sep 29, 2011 3:38 am
by fourthwall
Hello everyone!

I was having some problems with crypt() so I wrote a function to make hashing passwords MUCH easier:

Code: Select all

<?php 
function hasher($info, $encdata = false)
{
  $strength = "08";
  //if encrypted data is passed, check it against input ($info)
  if ($encdata) {
    if (substr($encdata, 0, 60) == crypt($info, "$2a$".substr($encdata, 4, 2)."$".substr($encdata, 60))) {
      return true;
    }
    else {
      return false;
    }
  }
  else {
  //make a salt and hash it with input, and add salt to end
  $salt = "";
  for ($i = 0; $i < 22; $i++) {
    $salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
  }
  //return 82 char string (60 char hash & 22 char salt)
return crypt($info, "$2a$".$strength."$".$salt).$salt;
}
}
?>
if just data is passed to it, it will hash it with a randomly generated salt then append the hash to the end. if you wish to compare input to a hash, you just feed it the input, then the hash, it will retrieve the salt from the hash and then hash the input with it, and compare it to the hash you fed it. It is a cryptographic function optimized for hashing passwords

I hope some of you find this useful. I published this on the crypt() manual, but I saw this forum and liked it, and wanted to make a first post that was useful to someone. Hope this helps, criticism is welcome! Moore's law compatibility is controlled via the $strength var, that controls the difficulty of the hashing function. This is as secure as password hashing really gets.

It's my own drop in replacement for PHPass basically.

Re: Easy high security crypto function

Posted: Thu Sep 29, 2011 5:17 am
by Mordred
1. I don't see what problem with crypt() you had, since you *are* using crypt here.
2. These are two functions rolled into one, a bad smell. I'd split them into hash() and check() halves
3. When checking you are using the $strength as defined in the function not in the hash. This is not necessarily bad, but you must be aware that it will make your hashes not backward compatible.

Re: Easy high security crypto function

Posted: Thu Sep 29, 2011 6:13 am
by fourthwall
It was meant to be a wrapper to simplify password hashing, as it handles salt generation and doesn't require the client code to store the salt separately and pass it back it etc, I found it useful :) and the strength value, it was just there for people to choose it when they implement it.

This is just a simplified wrapper for crypt()

Re: Easy high security crypto function

Posted: Thu Sep 29, 2011 10:07 am
by fourthwall
Okay, it's now reverse compatible with lower strength hashes, thanks for that