PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Dec 12, 2018 3:11 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Nov 18, 2013 10:30 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
I'm a little confused on how the automatic salt is supposed to work for the new PHP5.5 functions for hashing. The manual says:
Syntax: [ Download ] [ Hide ]
It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

This is something I've always used something like:
Syntax: [ Download ] [ Hide ]
mcrypt_create_iv(22, MCRYPT_DEV_URANDOM)
to build. Then I store the salt separately along with the password for verification later.

How does this work with allowing PHP to manage the salts? Or is this "secure salt" really a site-wide salt which is more like a pepper? Where does it get stored?


Top
 Profile  
 
PostPosted: Tue Nov 19, 2013 6:23 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
Works similarly to how bcrypt has, with all the information in the hashed password.

From password_verify() manual page:
Quote:
Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Tue Nov 19, 2013 12:33 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Right, but I don't see how that is supposed to help slow down rainbow table bruteforce attacks. The idea of the salt is to help strengthen each individual password with its own randomness. So every password is hashed with a fresh salt. These have to be stored somewhere and applied when verifying the password.

I would have to assume that password_hash reuses the same salt each time as it couldn't store a hidden salt somewhere every time it hashs. To me this means it is using some kind of pepper scheme, not a salt.

I read the author's description, so I guess I'll go in and have a look at the source code.


Top
 Profile  
 
PostPosted: Tue Nov 19, 2013 1:11 pm 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
Quote:
I would have to assume that password_hash reuses the same salt each time as it couldn't store a hidden salt somewhere every time it hashs.

Quote:
with all the information in the hashed password.


and no, it generates different hashes each time it's called:
Code:
~❯ php -r 'var_dump(password_hash("password", PASSWORD_DEFAULT));'
string(60) "$2y$10$GZGQxfLEw84kT7xMsnF2.ub9nv6MJLp..HVdkMlhvp3OqyXdKACX."
~❯ php -r 'var_dump(password_hash("password", PASSWORD_DEFAULT));'
string(60) "$2y$10$tXCspX1WTpEy5Z8/n3PKz.Zn7r7ZiLOH00ds9ZrgJUgmq703jmAdK"


Salt is 22 characters following the last $ character. The rest is the hashed password.


Top
 Profile  
 
PostPosted: Tue Nov 19, 2013 4:27 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Thanks. I saw that after looking through the source. That $2y is blowfish $10 is the cost then the salt+hash. My meager cryptography knowledge confused me with the language of the description that the "salt is included in the hash". I was thinking along the lines of other php hash functions
Syntax: [ Download ] [ Hide ]
$hash=hash('whirlpool',$salt.$string)
and there was no way to separate them after hashing. But they are doing it the crypt way where it is concatenated.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group