PHP and Whirlpool Encryption

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
cx_newton
Forum Newbie
Posts: 3
Joined: Wed Dec 07, 2011 3:55 am

PHP and Whirlpool Encryption

Post by cx_newton »

Hi there everyone, I'm new year and after browsing the internet for the answer to my troubles i think this is my final resort.

I'm currently working on a web interface system for a client that allows users to login, view manage and control user accounts that are called from a MySQL database. Everything is written and ready to go live bar 1 major function. The secure login.

I currently have a login script that simply runs of plain text for the purpose of development but now that the system is ready to go live i need to get this system working. So here are the details.

The login system , like most, collects the information from the login form and forwards it to loginscript.php. Once there it needs to encrypt the attempted password and compare it to the stored password. This is where i am having the issues.

I need help with the encryption on the attempted password. The stored passwords are encrypted in whirlpool using a 128 character hash.

If there is someone here who has any knowledge in this area I will be truly grateful,

Thanks for reading,

Callum
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: PHP and Whirlpool Encryption

Post by Weirdan »

Code: Select all

> php -r 'var_dump(in_array("whirlpool", hash_algos()));'
bool(true)
Is there any specific problem you're having? Or you simply don't know where to start?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: PHP and Whirlpool Encryption

Post by social_experiment »

http://www.php.net/manual/en/book.hash.php
This might be useful to you
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
cx_newton
Forum Newbie
Posts: 3
Joined: Wed Dec 07, 2011 3:55 am

Re: PHP and Whirlpool Encryption

Post by cx_newton »

@Weitdan The Major issue im having is i don't know where to start, as i stated i have my login script and i have my whirlpool encrypted passwords, i just don't know how to encrypt the $_POST['username'] and the fact we have a custom 128 character custom hash
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: PHP and Whirlpool Encryption

Post by social_experiment »

Code: Select all

string hash ( string $algo , string $data [, bool $raw_output= false ] )
That is how you would hash your $_POST received value; substituting $algo with whirlpool and $data with $_POST['username']
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
faarigia
Forum Newbie
Posts: 1
Joined: Mon Feb 16, 2015 6:00 am

Re: PHP and Whirlpool Encryption

Post by faarigia »

Thanks for your reply. Pardon my n00bness. If my data were attacked, the attacker would also have access to the script, and thus the salt. So how would the hash of salt+password be more secure?

So you're saying I should replace the key with hash('sha256', 'asdf324!.#qQ' . $password)?
Our Actual Exams and Pass4sure 840-423 gre exam provide cipt1 you 100% pass guarantee. You can get access to and exams. Our Pittsburg State University is also very useful tool.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: PHP and Whirlpool Encryption

Post by Celauran »

The main benefit of a salt is to protect against rainbow table lookups. Even an application-wide random salt is going to change all the hashes, so their list of known hashes no longer works. Per-user salts confound that even more. You're right in assuming that with access to your salts, your hashes, and enough time, an attacker will be able to work out your passwords. This is where Blowfish and the concept of a work factor begin to shine. You simply make it so computationally expensive to try to brute force your passwords that is becomes not worth their time. tl;dr Use bcrypt.
Post Reply