Hashs.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Hashs.

Post by tecktalkcm0391 »

Are md4 md5 sha1 sha256 sha384 sha512 ripemd128 ripemd160 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru gost adler32 crc32 crc32b haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5 all hashes? If so how would I call them, and which one would be the more recent or "best" one to use?
Ward
Forum Commoner
Posts: 74
Joined: Thu Jul 13, 2006 10:01 am

Post by Ward »

Yes, theyre all hashing methods. There isn't necessarily a 'best' one to use, it just depends what you want to do with it. For example, for storing passwords in a database, it's common to store the MD5 hash. This is more secure than simply storing the plain-text password.

Hashing is one-way, which means that it can't (easily) be decrypted. When a user is logging in, you can't simply match the password he typed to the password in the DB. You check to see if the MD5 hash of what he typed matches the MD5 hash in the DB.

MD5 will always return a 32-character hash, no matter how long the input string is.

creating an md5 hash is easy:

Code: Select all

$myString = "Hello World";
$myHash = md5($myString);
print $myHash;
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

Ok, well how could I call the other ones just to playaround with them.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Hashs.

Post by Roja »

tecktalkcm0391 wrote:Are ... all hashes?
Yes.
tecktalkcm0391 wrote:If so how would I call them
Install the mhash extension, and then look at the documentation for use: http://us2.php.net/manual/en/ref.mhash.php
tecktalkcm0391 wrote:and which one would be the more recent or "best" one to use?
More recent is almost always the opposite of best in the crypto world. Cryptology is based on math primarily, and in math, a 'proof' is only solid when it has been tested extensively for years. There are plenty of little "gotcha's" that can hide for a number of years without someone finding it.

As an example, SHA-0 was used for a period of time before the NSA discovered a substantial weakness in it, and advised against its use. (They also helpfully pointed the community towards SHA-1).

There is no answer to "Which is the best". It depends on your needs, your requirements, the type of data, and more. Research each, until you find one that suits your needs.

However, there is an answer to which you SHOULDN'T use: According to Bruce Schneier (posting to sci.crypt, 12 Nov 1998), "GOST has a 256-bit key, but its key schedule is so weak that I would not use it as a hash function under any circumstances."
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

I'd stay away from md5:

Reverse Lookups
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Use Feyd's SHA256. Regardless of what you use though, use something when it comes to passwords. MD5 and SHA1 are not as 'secure' as they once were, but they are still better than plain text. Salts are another good mechanism to use in conjunction with hashing.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

Todd_Z wrote:I'd stay away from md5:

Reverse Lookups
this did nothing for the few md5's I tried:

here's one:

4fa065ba97e6bba5a4b5d492fd61ad83 = somepas
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Burrito wrote:
Todd_Z wrote:I'd stay away from md5:

Reverse Lookups
this did nothing for the few md5's I tried:

here's one:

4fa065ba97e6bba5a4b5d492fd61ad83 = somepas
But they will from now on :p
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Todd_Z wrote:I'd stay away from md5:

Reverse Lookups
Reverse lookups won't work if you use a salt.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

The Ninja Space Goat wrote:Reverse lookups won't work if you use a salt.
Being a nitpicker, you can make a reverse lookup table for $secret + $salt, so they COULD work if you use a salt.

Its just that storage, processing, and lookups in tables that large are computationally infeasible, so no one does it.

Yet.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I have been using sha1 + salt for everything I do.
Ward
Forum Commoner
Posts: 74
Joined: Thu Jul 13, 2006 10:01 am

Post by Ward »

Theres tons of tricks you could do to make yuor hash harder to reverse lookup. For example, salting, but what about double-hashing? for example:

Code: Select all

md5(md5($password).$salt);
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Double hashing reduces enthropy.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Ward wrote:Theres tons of tricks you could do to make yuor hash harder to reverse lookup
Oooh oooh I have one!! suggest your users use hard-to-guess passwords!

DUH~! 8)
Post Reply