Page 2 of 3

Posted: Sat Jun 10, 2006 12:53 pm
by Oren
Maugrim_The_Reaper wrote:Why settle for lower security?
Answer:
Maugrim_The_Reaper wrote:It's not available as a native PHP function like md5() or sha1()
:D

Posted: Sat Jun 10, 2006 1:51 pm
by feyd
SHA256 doesn't have to be a native function (although it is in later versions of php) .. when you have a pure php solution, it's just as simple to use.

Posted: Sat Jun 10, 2006 2:12 pm
by Oren
In my opinion, it's a big difference. For sha256, you have to include the class each time you want to use it and to create a new instance. For md5, you simply use it like with any other function.

Posted: Sat Jun 10, 2006 2:15 pm
by feyd
No new instance is required. It's a static call.

Posted: Sat Jun 10, 2006 2:35 pm
by Oren
What's a static call?

Posted: Sat Jun 10, 2006 2:43 pm
by feyd
Oren wrote:What's a static call?

Code: Select all

$hash = SHA256::hash('abc');
No new instance of SHA256 has to be created.

Posted: Sat Jun 10, 2006 3:03 pm
by Oren
Oh yeah... I know about this, but couldn't remember it was called 'a static call' - I realized it was called 'a static call' only 1-2 days ago (don't forget I'm new to OOP).

Thanks for reminding me :wink:

Posted: Sat Jun 10, 2006 9:25 pm
by bdlang
Err, just so we're all clear, MD5 is a one-way HASH, not encryption (SHA1, SHA256 included), and it's interesting to me that alot of coders don't realize this. Just note that the thread is entitled 'encryption' and that not a single post mentions any actual encryption method. Encryption assumes decryption.

Obviously all the experienced PHP coders on this thread know this, I just want to make sure everybody (including the thread starter) does.

Great discussion of HASH implementation and collisions, however. :)

Posted: Sat Jun 10, 2006 10:19 pm
by Roja
bdlang wrote:Err, just so we're all clear, MD5 is a one-way HASH, not encryption (SHA1, SHA256 included), and it's interesting to me that alot of coders don't realize this. Just note that the thread is entitled 'encryption' and that not a single post mentions any actual encryption method. Encryption assumes decryption.
Roja wrote: However, your poll is also flawed in selections. MD5 isn't encryption. Its a cryptographic hash. You can't decode an md5sum. You can only predict the correct hash (collision), in a short period of time.
I did mention it. :)

Posted: Sun Jun 11, 2006 12:49 am
by bdlang
Roja wrote:
However, your poll is also flawed in selections. MD5 isn't encryption. Its a cryptographic hash. You can't decode an md5sum. You can only predict the correct hash (collision), in a short period of time.
I did mention it. :)
Yes, I saw that, thanks.

Posted: Sun Jun 11, 2006 7:27 am
by Maugrim_The_Reaper
In my opinion, it's a big difference. For sha256, you have to include the class each time you want to use it and to create a new instance. For md5, you simply use it like with any other function.
It's a tiny difference - one file include and a static call. The main difference in using a PHP implementation is performance. But such a hit is fairly low frequency (in the scheme of an overall app). Arguing for less security to pump up performance is a dangerous path to take.

Posted: Sun Jun 11, 2006 1:16 pm
by Oren
Maugrim_The_Reaper wrote:Arguing for less security to pump up performance is a dangerous path to take.
I agree, that's so right! I've always said that.
Security is first priority, then in the second place it is performance.

Posted: Mon Jun 12, 2006 12:29 pm
by Razor
the way i encrypt data like passwords is like this

Code: Select all

<?php

function encrypt($data)
{
return md5(sha1(stripslashes(strip_tags(htmlspecialchars($data)))));
}

$secure = encrypt($_POST['password']);

?>
it works well for me.

Posted: Mon Jun 12, 2006 12:55 pm
by RobertGonzalez
Oren wrote:
Maugrim_The_Reaper wrote:Why settle for lower security?
Answer:
Maugrim_The_Reaper wrote:It's not available as a native PHP function like md5() or sha1()
:D
When it is a PHP native function more people have access to core algorithm that creates the hash. There is also a wider use of the hashing algorithm, hence the desire of some to develop rainbow tables attempting to 'crack' the hash. I would say that so far, almost all levels of 'built-in' hashing have had some degree of compromise simply because they available and widely used.

Although Feyd's sha256 code is publicy available via these forums, few people are actually using (in relation to say an md5 or other combination of encryption mechanisms/salts), so the widespread attempt at 'cracking' and sha256's hashed string is still relatively minor.

When it comes to hashing strings, even if you throw a salt into the mix, the chance at a collision using md5, sha1 or any other 'built-in' hashing mechanism will be much greater than if you were using a custom function like Feyd's.

This opinion is of course speculative and written entirely out of my views on 'encryption'. And I agree with the previous posters that brought it up, encryption is so the wrong term to use when discussing a string hashing mechanism.

Posted: Mon Jun 12, 2006 12:58 pm
by tecktalkcm0391
would using mcrypt_encrypt many times again and again over itself make it way harder to break, or weaken